By The Numbers: Privileged Access Management

It’s been proven time and time again: unmanaged, unmonitored privileged accounts are an easy target for both external attacks and malicious insiders— just take a look at some recent data breaches and chances are high the malicious party used a compromised privileged account to increase their permissions.

Due to this common practice Privileged Access Management (PAM)— the monitoring and protection of super user accounts— has emerged as one of the most important aspects of Identity and Access Management (IAM) , and cyber security writ large, today.

Despite this, it can be difficult to get those in decision-making positions to allocate resources for a full-fledged Privileged Access Management Initiative, so where can you start?

One surefire way to understand (or make someone else understand) the importance of securing privileged accounts is to start with cold hard facts. By assessing current statistics and those projected for the future we can get a good sense of both the need for privileged account management and where the market is headed.

We’ve gathered a number of statistics for leading research and surveys that demonstrate the extent to which privileged access management can impact organizational security, and how the market will change and grow in the coming years.

For starters, according to Forrester Research’s most recent Wave report on Privileged Access Management:

• 80% of security breaches involve privileged credentials.

And those breaches aren’t just a flash in the pan, according to Verizon’s 2017 Data Breach Investigations Report (DBIR), which found that:

• 82% of data breaches caused by insider misuse took over a week to detect, up from 70% in 2016.

Those numbers are disastrous, and security professionals are taking note, according to The 2016 State of Privileged Account Management Report from Thycotic and  Cybersecurity Ventures:

• 80% of IT security professionals consider Privileged Account Management security a high priority.
• 60% of IT security professionals Indicate that PAM security is required to demonstrate compliance with government regulations.

However, public sector employees seem to be lagging behind in their adoption of PAM solutions, according to recent research from Tripwire Inc. and Dimensional Research:

• 30% of federal government respondents to Tripwire’s survey disclosed they are not able to detect every non-privileged user’s attempt to access files.
• Despite this, 73% of federal government respondents assume their system would generate an alert or email within hours if a user inappropriately accessed file shares.

But perhaps public sectors should pay more attention, because according to the Verizon’s 2016 DBIR:

• The public sector reported more security incidents than any other industry in 2015 with privileged access misuse and non-malicious events making up nearly half (46%) of the reported incidents.

That’s a lot of damage. So what are organizations doing to mitigate that risk? Shockingly little, according to Thycotic’s 2016 State of PAM report, which found that:

• 66% of organizations still rely on manual methods to manage privileged accounts.
• Just 10% of organizations have implemented an automated security vendor solution.
• 20% of organizations have never changed their default passwords on privileged accounts.
• 30% of organizations allow accounts and passwords to be shared.
• 40% of organizations use the same security for privileged accounts as standard accounts.
• 70% of organizations do not require approval for creating new privileged accounts.
• 50% of organizations do not audit privileged accounts.

Despite these disheartening numbers, things seem to be trending in the right direction, at least so far as government regulation goes.

By the end of 2017, more stringent regulations around control of privileged access will lead to a rise of 40% in fines and penalties imposed by regulatory bodies on organizations with deficient PAM controls that have been breached, according to Gartner Inc.’s 2015 Market Guide for PAM.

By 2018, Garter predicts that 50% of organizations will use authentication methods other than passwords for administrative access, up from 20% in 2015.

And watch this for the 10 Best Resources for Evaluating IAM solutions: