Main problem insider and third-party access

Despite a growing awareness of the dangers posed by misuse of administrative privileges, most organizations continue to allow a variety of unsecured, privileged access from inside and outside their mission-critical IT systems and data, writes access solutions company Bomgar. Many organizations trust employees and third-party vendors alike without taking technical precautions to manage, control and log the activities of individual users, teams and organizations on IT systems and networks.

What does the safety study say?

In the safety study "2017 Secure Access Threat Report", respondents identify two main threats to enterprise security: insider and third-party access. The research, commissioned by Bomgar, surveyed more than 600 IT professionals from Germany, France, the UK and the US. The feedback came from a wide range of industries - from IT and telecommunications to finance, industry and energy. Both the company's own employees and users such as freelancers or on-site contractors are categorized as insiders, while external (outsourcing) service providers or manufacturers with access to business IT systems fall under the umbrella term third-party providers.

The report shows that 90 percent of security professionals mostly trust their own employees with privileged access rights, but only 41 percent trust them completely. Paradoxically, security executives grant wide-ranging access rights to employees even though they are well aware of the threat posed by internal security breaches. While the majority do not worry about malicious insider attacks, there are legitimate concerns that privacy rules may be inadvertently violated or that administrator rights and privileged credentials may fall into the hands of cybercriminals. Still, 37 percent of organizations surveyed lack the necessary visibility into employee activity, and 33 percent of survey respondents fear that former employees may still have access to corporate networks.

Best practice recommendations for IT security

Generally, employees prove to be productive and responsible in their daily work environment and do not pursue malicious intentions, but sometimes various IT security best practice recommendations are circumvented to speed up work processes. For this reason, there is a growing need for access solutions that address productivity and usability criteria by seamlessly integrating with commonly used applications and processes without neglecting IT security requirements.

"It only takes one employee to compromise a company's security. Many of the most headline-grabbing data breaches had their starting point in compromised credentials," emphasized Matt Dircks, CEO at Bomgar. "To avoid risk, therefore, organizations must start by controlling, managing and monitoring privileged access on their networks. And the security study documents that many organizations have some catching up to do when it comes to privileged access risk management. Internal data breaches, whether intentional or unintentional, are sometimes only discovered after weeks, months or years - with correspondingly high damage potential for the affected company."

Frequent third-party security breaches

The security study further documents that such security breaches through third-party access are common. External service providers are firmly integrated into the business processes of organizations. On average, 181 third-party service providers have privileged access to corporate networks every week - more than double the previous year's figure. Over the past two years, the number of connected third-party service providers has grown at 81 percent of the companies surveyed, up from 75 percent the previous year.

With such a high number of third-party vendors with elevated access rights, it is not surprising that more than two-thirds (67 percent) of the companies surveyed say they have already been "definitely" (35 percent) or "probably" (34 percent) affected by a security breach caused by third-party vendors. While 66 percent of security professionals surveyed acknowledge that they give third-party vendors too much credit, this realization is not yet reflected in a change in behavior. Control and management processes for third-party vendors with privileged access rights remain lax: Only 34 percent of respondents are absolutely certain they can track vendor log-ins, and at 37 percent, only a similarly low percentage of managers are confident they know the number of third-party vendors accessing internal IT systems.

"As with insider threats, privileged access from third-party vendors also leads to numerous network security risks. IT security professionals must strike the right balance between the business needs for access to their IT systems and the security issue - whether the access comes from within or from external vendors," added Dircks. "The IT landscape is becoming more complex with third-party vendors, so privileged access management must also keep pace with appropriate technologies and processes to increase visibility to access activities on the corporate network without hindering business workflows."  Press release Bomgar