Organisations are allowing too many employees to enjoy admin rights to promote efficiency and convenience, but are, in the process, making themselves vulnerable to insider threats, phishing attacks, and ransomware infections.
Despite a bulk of employees considering too many users with admin rights a high risk issue, organisations allow their use anyway.
Earlier this year, a survey of 175 security professions from across Europe revealed that as many as 94 per cent of users prioritised employee productivity over security concerns, thereby indicating that the focus was always on getting the job done, no matter how risky it was.
More worryingly, 64 percent of security professionals admitted that they had to modify security to allow employees more freedom to work and 40 percent even turned off security firewalls to accommodate requests from various departments.
This rampant disregard for security concerns at organisations has led to a rise in insider threats, data loss, crippling ransomware attacks, and phishing attacks in the last few years even as organisations are embracing advanced digital technologies and cloud solutions to improve their services.
'While it isn’t a shock that users prioritise productivity and convenience over security, we’ve always assumed the IT security team set the agenda when it comes to protecting IP, customer data, and the network. But it’s clear they are often overruled and executive leadership may not be aware of these competing priorities,' said Ian Pratt, co-founder at Bromium.
Such lack of concern towards cyber security has now been backed by a fresh survey of 474 IT professionals by Beyond Trust, a firm that offers privilege and vulnerability management solutions.
According to Brian Chappell, Senior Director for Enterprise & Solution Architecture at Beyond Trust, organisations are allowing too many employees to enjoy admin rights even though the practice leaves such organisations vulnerable to leaks as well as external cyber-attacks.
The survey revealed that even though 71% of IT professionals consider the rampant usage of admin rights a high risk factor, and a further 21% admitting that such usage caused frequent security problems, 38% of them said that their organisations are allowing too many employees to enjoy admin rights for the sake of convenience and efficiency.
Writing for Infosecurity Magazine, Chappel said that 'this is the kind of perpetual contradiction that so many people within IT face. We all know that liberally granted admin rights lead to trouble, but it's also troubling to be seen as an encumbering force within an organization that's devoting its energy to efficiency.'
'People struggle with the difference between home computing, where you can do pretty much anything you want, and the often rigid rules of using their employer’s tech,' he added.
The survey revealed that changing this practice could take a lot, considering that employees have now become accustomed to using admin rights to get their work done. As many as 83% of IT professionals told the surveyors that privileged account management is a very important factor in their jobs. What's more, in 79% of organizations, users share passwords with each other as well to improve efficiency of their departments.
What's the way out?
According to security firm Bromium, there is a need to introduce new security guidelines and processes that do not interfere with user access and employee productivity.
Employees can check emails, download and open attachments and click on website links without worrying about phishing attacks if CPU-enforced micro-virtualization is in place. This technique isolates applications, email downloads, files and web browsing in a disposable environment, thereby protecting users from malicious attacks.
'Virtualization-based security works silently and unobtrusively protecting each activity and can even be used to allow the malware to run because it can’t get out of the micro-VM. This way security doesn’t impact the user experience or their productivity, meaning there is no need to ‘turn it off’ when it becomes inconvenient,' the firm said.
Considering that employee productivity is key to a business's success and its survival, it is essential for businesses to ensure that security firewalls do not impede productivity. However, ensuring the security of customer data and internal databases is also paramount. The GDPR will impose heavy fines on enterprises that fail to protect such data and as such, compromising security practices to boost productivity may backfire in the long run.
Strong BYOD policies
The National Cyber Security Centre has provided a framework that aims to help organisations develop watertight BYOD (Bring Your Own Device) policies so that sensitive data is not placed at risk even if all employees are allowed to use their personal devices at work.
The centre suggests that organisations' BYOD policies must be aimed at preventing any unauthorised devices from accessing sensitive business or personal information, and ensuring that authorised devices are only able to access the data and services organisations are willing to share with BYOD employees.
Even though 7 out of 10 organisations in the UK have embraced BYOD over the years and the number is set to rise significantly in the near future, a number of such organisations have been slow in creating formal BYOD policies to ensure the sanctity of corporate and customer data.
'For enterprises to have full visibility into who has access to what, understanding the ‘who’ in that equation is more important than ever. This is why putting identity at the center of security strategies is the best approach for defending and protecting today’s modern enterprise,' said Juliette Rizkallah, CMO at SailPoint.