Organisations are still ill-prepared to protect themselves against privileged access abuse – the leading cyber-attack vector, according to a recent survey conducted by Centrify in partnership with TechVangelism.
According to the report, 79 percent of the surveyed firms do not have a mature approach to Privileged Access Management (PAM), yet 93 percent believe they are at least somewhat prepared against threats that involve privileged credentials.
This overconfidence and immaturity are underscored by 52 percent of organisations surveyed stating they do not use a password vault, indicating that the majority of companies are not taking even the simplest measures to reduce risk and secure access to sensitive data and critical infrastructure.
The survey of 1,300 organisations across 11 industry verticals in the US and Canada reveals that most organisations are fairly unsophisticated and still taking Privileged Access Management approaches that would best be described as “Nonexistent” (43 percent) or “Vault-centric” (21 percent).
More sophisticated organisations take an “Identity-Centric” (15 percent) approach that tries to limit shared and local privileged accounts, replacing them with centralised identity management and authentication with an enterprise directory. The most protected organisations are considered “Mature” (21 percent) because they address PAM by going beyond vault- and even identity-centric techniques by hardening their environment further via a number of initiatives (e.g., centralised management of service and app accounts and enforcing host-based session, file, and process auditing).
“This survey indicates that there is still a long way to go for most organisations to protect their critical infrastructure and data with mature Privileged Access Management approaches based on Zero Trust,” said Tim Steinkopf, CEO of Centrify.
“We know that 74 percent of data breaches involve privileged access abuse, so the overconfidence these organisations exhibit in their ability to stop them from happening is concerning. A cloud-ready Zero Trust Privilege approach verifies who is requesting access, the context of the request, and the risk of the access environment to secure modern attack surfaces, now and in the future,” he added.
The study also revealed that 52 percent of organisations are using shared accounts for controlling privileged access. Furtheremore, it found that 58 percent of organisations do not use Multi-Factor Authentication (MFA) for privileged administrative access.
The Centrify survey also highlighted that 51 percent of organisations do not control access to transformational technologies with privileged access, including modern attack surfaces such as cloud workloads (38 percent), Big Data projects (65 percent), and containers (50 percent).
Looking at organisations’ PAM maturity by industry, the study found that 39 percent of technology organisations have a Nonexistent approach to PAM. While two highly-regulated industries, healthcare (45 percent) and government (42 percent) score high for Nonexistent PAM maturity
Meanwhile, the finance industry (27 percent) unsurprisingly scored highest in the Mature category, followed by energy/utilities (26 percent), and then technology (25 percent), as well as healthcare (22 percent). Finally, professional services is taking a highly Vault-Centric approach to PAM at 29 percent of organisations.
Industry research firm Gartner named PAM a Top 10 security project for 2019 and has predicted it to be the second-fastest growing segment for information security and risk management spending worldwide in 2019. However a vault-centric approach is not enough for modern attack surfaces.