According BeyondTrust’s 2019 Privileged Access Threat Report, 64% of businesses globally believe they’ve likely had either a direct or indirect breach due to misused or abused employee access in the last 12 months, and 62% believe they’ve had a breach due to compromised vendor access.
In its fourth edition, the global survey explores the visibility, control, and management that IT organisations in the U.S., APAC, Europe and the Middle East have over employees, contractors, and third-party vendors with privileged access to their IT networks.
In the UK, poor security hygiene by employees continues to be a challenge for most organisations.
Employees sending files to personal email accounts, for example, was cited as a problem for 64% of organisations, while colleagues telling each other passwords was also an issue for 65% of UK organisations in 2019, which is a significant increase from 49% in 2018.
The report also highlighted over a third (35%) of UK businesses cite concern over unintended data loss when employees are using unsecured devices, and while 72% of UK organisations agree that they would be more secure if they restricted employee device access, this isn’t usually realistic or a viable solution, let alone conducive to productivity.
“Both internal employees and third-party vendors need privileged access to be able to do their jobs effectively, but need this access granted in a way that doesn’t compromise security or impede productivity,” commented Morey Haber, CTO and CISO of BeyondTrust.
“In the face of growing threats, there has never been a greater need to implement organisation-wide strategies and solutions to manage and control privileged access in a way that fits the needs of the user.”
Globally, the businesses surveyed reported an average of 182 vendors logging in to their systems every week.
In UK organisations, 46% say they have more than 100 vendors logging in regularly, highlighting the sheer scope of risk exposure, with 83% admitting they trust third party vendors accessing their networks, a slight increase to last year’s report.
Trust in employee privileged access was cited at 87% however, a decrease of trust from last year which was 91%.
In an age where data breaches have immense financial and reputational implications for businesses, it’s a stark reminder that UK organisations need to do more to assess the level of trust they place in their third-party vendors.
With GDPR coming into effect last year, it’s unsurprising that last year’s report found that compliance was one of the biggest drivers of cybersecurity strategies, however this year’s survey has found that high profile security breaches is the leading driver.
Almost half (43%) say that high profile security breaches not related to themselves is having a significant effect on the way they’re governing employee access, with GDPR compliancy taking a backseat as third most important (41%), and 42% citing concern of unintended data loss from unsecured data devices as driving their policies of employee network access.
The report further delves into the threats posed by emerging technologies. The risks associated with the Internet of Things (IoT) posed a big concern for the professionals surveyed, with 61% of UK businesses citing that IoT devices pose a threat to security.
Despite this, a majority (80%) are confident they know how many IoT devices are accessing their systems, and 81% are confident they know how many individual logins can be attributed to these devices. At the same time, 41% of security decision makers perceive at least a moderate risk from Bring Your Own Device (BYOD) policies.
The report did show that some organisations are managing these risks with a Privileged Access Management (PAM) solution.
From the research, these same organisations experience less severe security breaches and have better visibility and control than those who use manual solutions or no solution at all.
In fact, 90% of UK organisations with fully integrated PAM tools are confident they can identify specific threats from employees with privileged access.
Haber added, “As the vendor ecosystem grows, the threat landscape evolves and users should be granted specific role-based privileges.
“Organisations need to accept that the way to mitigate risks is by managing privileged accounts through integrated technology and automated processes that not only save time, but also provide visibility across the environment.”
“By implementing cybersecurity policies and solutions that also speed business efficiency, versus putting roadblocks in users’ way, organisations can begin to seriously tackle the privileged access problem.”