Bad practice is putting data at high risk

A study conducted with the analyst company Quocirca has demonstrated that despite their trusted position privileged users are frequently the weakest link in the corporate security chain, due to poor management, inefficient manual processes and lack of awareness.

The study’s findings indicate a real risk of privileged user accounts being compromised, mirroring the ongoing case of Gary McKinnon, who gained access to the Pentagon’s IT systems. While many of the 270 medium and large European organisations surveyed claimed to take steps to protect confidential data including highly personal customer information, 41 percent of supposedly ISO27001 compliant organisations admitted non-compliant practices such as sharing privileged user accounts.

Across Europe, 24 percent of organisations rely on forms of manual control for overseeing and controlling the actions of privileged users. Manual control is time-consuming, excessively expensive, unreliable, prone to error and most importantly, un-auditable. In the UK this figure rises to 29 percent. Despite the availability of privileged user management (PUM) systems, only 26 percent of European organisations surveyed have actually deployed them in full.

The research reveals that controlling and monitoring the activities of privileged users is not sufficiently high on the agenda of IT managers, despite the huge amount of trust placed in them. Respondents rank PUM below seven other actual security threats to the organisation (scoring 2.54 out of five on an index of threat), below malware (2.9), the Internet (2.7), internal users (2.7), and Web 2.0 tools (2.6). Budget availability may be a reason for this prevarication (scoring 3.3 out of 5 on the scale of limiting factors), although 85 percent state that the budget spent on IT security is either stable or increasing as a proportion over overall IT spending. Ultimately, it is likely that another main reason for holding back is an under appreciation of the risks presented by privileged users.

Out of the 270 organisations questioned, 45 were based in the UK. While 47 percent of UK organisations have implemented ISO27001, the standard for IT management that explicitly states that “the allocation and use of privileges shall be restricted and controlled”, nearly 30 percent of respondents had not heard of it. Furthermore, only 44 percent of UK organisations could confirm administrator accounts were not shared between individual administrators.