Even though 78 percent of organisations across the globe now have privileged credential protection as part of their cyber security policies, over half of all organisations lack complete visibility over how many privileged accounts they have or where they’re located, new research has revealed.
According to Thycotic’s 2019 State of PAM Maturity Report, merely having a privileged credential protection policy is not enough for organisations as long as they do not have complete visibility and control over such accounts or are not storing privileged accounts in secure vaults or password managers.
According to the firm, over half of more than 450 organisations surveyed do not have a policy of expiring their privileged accounts and 55 percent of them have no idea how many privileged accounts they have or where they’re located. More than 85% of organisations are yet to adopt PAM security solutions or automate time-consuming, manual processes for storing privileged accounts.
More worryingly, less than one in five organisations are storing all their privileged accounts in a secure privileged access management vault or password manager. According to Joseph Carson, Lack of visibility into how many unprotected privileged accounts exist in an organisation is an enormous risk for an organisation.
“Because privileged accounts such as local admin and service accounts exist everywhere in multiple places throughout an organization, trying to manually discover and manage them is virtually impossible. Your first step should be automating privileged account discovery on a continuous basis so that you can see what you need to protect and what security controls should be in place,” he said.
Hacking of privileged accounts can have far-reaching consequences
Earlier, Carson told TEISS in an interview that privileged account breaches can have more far-reaching consequences than breaches of other accounts that lack privileges. This is because privileged accounts are essentially root-based account, or ones that can set up more accounts and a breach there can lead to ‘catastrophic’ consequences for businesses because once access has been obtained, malicious actors can then go on to create and access accounts, create logs and steal information!
“Many organisations don’t realise that crucial accounts are covered by separate legislations and directives, including (and not restricted to) PCI-DSS, NIST, ENISA, GDPR, HIPAA, SOX and ASD in Australia and New Zealand. If a business doesn’t comply with the legal framework that applies to privilege accounts, it will fail its audits and it needs to start taking action now.
“Not protecting privilege accounts exposes organisations to compliance failure as well as data breaches. The difference is that when you compromise a non-privilege account, it allows the cyber criminal to use just one account- emails from one person and contacts of that one person.
“But with a privileged account, it is a major incident at that point. Organisations can be attacked thousands of times but breached probably just 100 times and it will be down to what kind of account got breached,” he added.
According to Carson, auditing, 2-factor, and multi-factor authentication are key to protecting privileged accounts and then making doubly sure they are secure. So businesses need to make sure that it is not just one password that gets you in. Additional controls need to be in place and putting privilege account management into a privilege account vault that will manage, rotate and secure them, is the easiest way.