Yesterday, identity and privileged access management solution provider Thycotic released their “2018 Global State of Privileged Access Management (PAM) Risk & Compliance” executive report. The report is a global study of how enterprises handle and secure their privileged access accounts, as well as their failings in fully complying with PAM best practices. PAM is a serious concern for cybersecurity experts. Privileged access accounts are a highly desired and lucrative target for cybercriminals, as they can use them to access enterprise finances and valuable data such as intellectual property or consumer identity information.
Some of Thycotic’s findings indicate grounds for optimism: 80% of enterprises surveyed consider PAM an essential security concern. Granted, 60% of enterprises admit they need PAM to comply with governmental or industry regulations, so they do have a tangible incentive to protect their privileged access accounts. But that isn’t an issue for Thycotic: having this push is encouraging enterprises to embrace better PAM security practices. What worries Thycotic is that these incentives aren’t pushing enterprises far enough.
Thycotic’s report discovered:
- 62% of enterprises fail to provision for privileged access accounts.
- 51% fail to enact secure logins for privileged access accounts.
- 73% don’t remove default or test accounts on their applications before they go into production.
- 70% of enterprises fail to discover all of the privileged access accounts in their networks
- 40% never look for all their privileged accounts.
- 55% fail to revoke permissions after a privileged employee is removed.
- 63% don’t have security alerts in place for failed privileged access account login attempts.
Not following best practices in securing privileged access accounts can leave enterprises vulnerable not only to failed governmental audits but also to undetected by devastating data breaches. Thycotic recommends that enterprises audit privileged accounts (with the audit logs under heavy security themselves to prevent tampering), strictly control third-party contractor access, and automate account lifecycles.
You can download the full report here.
Latest posts by Ben Canner (see all)
- What are The Key IDaaS Capabilities for Enterprises? - October 16, 2019
- What are “Pass the Hash” Attacks? How Can Your Enterprise Prevent Them? - October 16, 2019
- What’s Changed: 2019 Gartner Magic Quadrant for Identity Governance and Administration (IGA) - October 14, 2019