Corporate fraud is at new highs. Cybersecurity threats are burdening small and large businesses (SMBs) alike. And yet, according to analysts at BeyondTrust, professionals are still using passwords like “12345” to protect their systems.
While cybersecurity experts recommend that organizations deploy a Privileged Access Management (PAM) solution — a tool that enables businesses to consolidate and track employee access to various accounts — BeyondTrust’s latest report suggests businesses are seriously lacking in their efforts to deploy a more robust security strategy.
Its “The Five Deadly Sins of Privileged Access Management” report explores the results of a survey conducted in June, which assessed the security practices of 474 IT professionals at companies around the globe.
Research from The Forrester Wave found that 80 percent of data breaches at SMBs are the result of abuse or misuse of privileged credentials. That is, enterprises without a PAM solution are seeing their own workers gain use of credentials that incorrectly give them access to privileged systems and company information.
IT professionals know PAM strategies are important: They were cited as the most crucial security measure for their firm, followed by privileged session management and privileged elevation management. Despite the focus on PAM, IT professionals told BeyondTrust that there are some serious corporate security lapses. Nearly 80 percent said they believe users are sharing their own passwords with other employees, while 76 percent said professionals aren’t changing the default passwords given to them. Three-quarters said their organizations’ team members are using weak passwords.
More than a fifth said they have experienced a security issue at their firm because of password sharing as well as because users have been allowed to run as administrators on machines. A fifth said they experienced a security issue because professionals are reusing the same password for multiple systems.
There are other troubling revelations in the report as well. For instance, BeyondTrust noted that many IT professionals rely on Sudo, a free solution that enables system administrators to delegate which employees gain access to which systems. But less than a third of IT executives surveyed said Sudo fully meets their needs. Plus, researchers warned, Sudo does not adequately protect systems from cyberattacks.
“Why trust the security, compliance or continuity of your business to a free tool with known best practice flaws?” BeyondTrust asked, noting that IT professionals cited the time-consuming, complex nature of Sudo as key hurdles to the tool.
With all of this in mind, it’s no wonder that privileged access is often found in cyberattacks that occur in the enterprise. A fifth of survey respondents told researchers that a cyberattack that combines privileged access with exploitation of some unpatched vulnerability in their systems is “common.” These attacks include ransomware, the report noted, and “thrive” on the ability to gain privileged access to systems and accounts.
According to BeyondTrust, organizations’ rapid migration to the cloud means small businesses should be prioritizing privileged access management and rethinking their corporate security strategies overall.
But more than a third of the IT professionals surveyed said they are not protecting SaaS (software as a service), cloud-based applications from privileged access abuse.
“It is not up to the provider to protect your cloud workloads,” BeyondTrust warned. “It is up to IT. Privileged access must be secured consistently across all channels — on-premises, laaS [logging as service], SaaS and PaaS [platform as a service].”
While IT executives know that they must protect privileged accounts, remove users’ admin rights, patch vulnerabilities in their systems and deploy greater cybersecurity solutions for their on-premise and cloud-based systems, much of these efforts are deployed inconsistently across the enterprise.
“Personally identifiable information must be protected at all costs,” the report concluded. “Otherwise, organizations can face costs of up to $4 million per year, mitigating the damages of unwanted access to it.”