Organizations are not equipping themselves against privileged access management (PAM) abuse, according to a report by Centrify and Techvangelism. Nearly 80% of organizations were found not to have a mature approach to combating PAM cyber-attacks, yet 93% of the organizations surveyed believe they were somewhat prepared for threats that involve privileged credentials.
“This survey indicates that there is still a long way to go for most organizations to protect their critical infrastructure and data with mature privileged access management approaches based on zero trust,” says Tim Steinkopf, CEO of Centrify. “We know that 74% of data breaches involve privileged access abuse, so the overconfidence these organizations exhibit in their ability to stop them from happening is concerning."
The report found that companies do not take "the simplest" of measures, with 52% stating they do not use a password vault. In fact, out of the 1,300 organizations across 11 industry verticals in the U.S. and Canada, 43% were identified as having a "nonexistent" PAM approach.
The survey also revealed that over half of companies surveyed have some questionable privileged access control; for example, 52% use shared accounts for controlling privileged access; 58% of organizations do not use multifactor authentication (MFA) for privileged administrative access to servers, and 51% of organizations do not control access to transformational technologies with privileged access, including modern attack surfaces, such as cloud workloads, big data projects and containers.
Looking at industry-specific trends, 39% of technology organizations have a nonexistent approach to PAM, as do healthcare (45%) and government (42%), which are both highly regulated and handle sensitive data. The financial sector scored highest in the "mature" category, followed by energy and utilities (26%).
Cathy Hall, PAM practice lead at Sila Solutions Group, wrote about the best practice for PAM for Infosecurity Magazine in April 2019: "The best way to handle ... PAM ... isn’t to simply check a box to satisfy a mandate, it’s to view it as a mission. A mission-based approach ensures that you improve security across your whole enterprise over time, rather than only satisfying a limited, one-time mandate."