Global organisations believe they’ve likely had either a direct or indirect breach due to misused or abused employee access in the last 12 months, according to a recent report by BeyondTrust.
The report, which explores the visibility, control, and management that IT organisations across the globe—including the UAE and Saudi Arabia―have over employees, contractors, and third-party vendors with privileged access to their IT networks, found that 64 percent of global firms think they’ve likely had suffered either a direct or indirect breach due to a misuse of employee access. It also found that 62 percent believe they’ve had a breach due to compromised vendor access.
Poor security hygiene by employees continues to be a challenge for most organisations. Writing down passwords, for example, was cited as a problem by 60 percent of organisations, while colleagues telling each other passwords was also an issue for 58 percent of organisations, a steady increase from 2018’s statistics.
The report also highlighted regional differences, with only 28 percent of Middle East businesses expressing worries about employees downloading data onto a memory stick, while 42 percent see this as an issue in APAC. Ultimately, 71 percent of organisations agree that they would be more secure if they restricted employee device access. However, this isn’t usually realistic, let alone conducive to productivity.
“Both internal employees and third-party vendors need privileged access to be able to do their jobs effectively, but need this access granted in a way that doesn’t compromise security or impede productivity,” said Morey Haber, CTO and CISO, BeyondTrust. “In the face of growing threats, there has never been a greater need to implement organisation-wide strategies and solutions to manage and control privileged access in a way that fits the needs of the user.”
The businesses surveyed reported an average of 182 vendors logging in to their systems every week. At organisations with 5,000+ employees, 23 percent say they have more than 500 vendors logging in regularly, highlighting the sheer scope of the risk exposure.
This year’s report uncovered that trust in vendor access is now lower than trust in employee access, with only one in four (25 percent) saying they completely trust vendors, in comparison to 37 percent of employees. This is a stark comparison to last year’s report, where 72 percent of businesses admitted that they have cultures that are too trusting of third parties. In an age where data breaches have immense financial and reputational implications for businesses, it’s a positive step that these organisations are now assessing the level of trust they place in their third-party vendors.
The report also delves into the threats posed by emerging technologies. The risks associated with the Internet of Things (IoT) posed a big concern for the professionals surveyed, with the visibility of logins from IoT devices revealed as the most pressing issue.
Three quarters (76 percent) are confident they know how many IoT devices are accessing their systems, while four in five are confident they know how many individual logins can be attributed to these devices. At the same time, 57 percent of security decision makers perceive at least a moderate risk from Bring Your Own Device (BYOD) policies.
The report did show that some organisations are managing these risks with a Privileged Access Management (PAM) solution. From the research, these same organisations experience less severe security breaches and have better visibility and control than those who use manual solutions or no solution at all. In fact, 90 percent of those with fully integrated PAM tools are confident they can identify specific threats from employees with privileged access.
“As the vendor ecosystem grows, the threat landscape evolves and users should be granted specific role-based privileges. Organisations need to accept that the way to mitigate risks is by managing privileged accounts through integrated technology and automated processes that not only save time, but also provide visibility across the environment,” Haber added. “By implementing cybersecurity policies and solutions that also speed business efficiency, versus putting roadblocks in users’ way, organisations can begin to seriously tackle the privileged access problem.”
