You know you’ve got them.
Employees with nearly unfettered access to every nook and cranny of your organization’s network, devices, and servers. While often a necessity in the digital age, privileged users represent a huge cybersecurity risk that you should not overlook.
InfoSec professionals say privileged users hold the “keys to the kingdom,” and for good reason. A single ring of digital keys, in the form of privileged credentials, can give an attacker access to reams of corporate information.
Privileged Users, Increased Risk
Finances, individual user accounts, sensitive client information. All are just a few keystrokes away for the cybercriminal who uses privileged credentials to breach your network.
It’s no surprise, then, that security experts often cite compromised privileged user access in many of the highest profile data breaches in recent years. A CyberArch analysis of some of 2013’s highest profile attacks found that privileged accounts were on each hacker’s attack path 100% of the time.
Long story short: privileged user access is, and will remain, a high-value target for cyberattackers.
Lack of Privileged User Awareness
With this much at stake, the results of a new report on the state of privileged user security management are troubling, to say the least. A joint Thycotic/Cybersecurity Ventures survey of 500 IT security professionals found that 52% of those surveyed received a failing grade on privileged account security. This, despite the fact that 80% of respondents considered privileged user security a high priority.
“Weak privileged account management is a rampant epidemic at large enterprises and governments globally,” Steven Morgan, Cybersecurity Ventures founder and CEO, told CSO Online.
“Privileged accounts contain the keys to the IT kingdom, and they are a primary target for cybercriminals and hackers-for-hire who are launching increasingly sophisticated cyber-attacks on businesses and costing the world’s economies trillions of dollars in damages.”
The report also found:
- 30% of organizations had not communicated the importance of following privileged user security policies to stakeholders
- 50% do not audit privileged user account activity
- 30% allow accounts and passwords to be shared
Beyond the Technical
Many a technical solution exists to combat cyber assaults against privileged users. The report recommends free tools available to discover unknown and untracked privileged accounts within an organization’s network.
Additionally, IT departments can often automate privileged account management. This eliminates the need for manually updated spreadsheets containing privileged user account credentials (surprisingly, 66% of those surveyed still relied on such manual methods).
But behind most privileged accounts is a flesh-and-blood privileged user. An employee with (most likely) the best intentions in mind, but also the capacity to make costly mistakes. Cyberattackers know this, as shown by the fact that 74% of phishing email links in 2015 were after login credentials.
Just as privileged users hold the keys to the kingdom, looking at this threat from a human perspective is the key to success. That’s why we developed security awareness training targeting privileged users. We designed the training to drive home the importance of a privileged user’s unique responsibilities.
The goal: create informed privileged users who can recognize threats and make better decisions that reduce risk.
Course topics include:
- Who are Privileged Users?
- Insider Threats
- Prohibited Actions
- Managing Privileged User Access
- Consequences of Noncompliance