Over a third of government and enterprise users have been given privileged access despite not needing it, potentially exposing their organization to greater cyber-risk, according to Forcepoint.
The security vendor polled nearly 1900 privileged users in the UK and US to better understand the current risk of insider threats.
Of the 36% of government and 40% of enterprise respondents who said they didn’t need privileged access, over a third said everyone at their level has privileged access. A similar number said that privileged access from a previous role had not been revoked when they changed jobs, while around a quarter claimed they were granted elevated access rights for no apparent reason.
Operating an access policy of “least privilege” is widely accepted to be cybersecurity best practice. Forcepoint argued that granting excessive privileges can undermine security because users may access sensitive data out of curiosity, be pressured to share their rights with others, and believe they are empowered to access all the info they can view.
Worse still, only half (48%) of government respondents said privileged users are vetted through background checks. Just 46% of government and 52% of enterprise respondents said their organization can effectively monitor privileged user activities, while even fewer (11% and 14%) were confident their organization has visibility into user access.
A lack of unified visibility from a single tool, and challenges around change management with outsourcing and offboarding, were both highlighted as issues.
Privileged abuse can also be hard to spot because of a lack of contextual insight from security tools, high false positive rates and info overload, the report claimed.
“Without granular visibility — visibility not just into who has access, but what they’re doing with it — organizations can’t detect or react to compromised or malicious access fast enough to stay protected,” said Forcepoint director of global government and critical infrastructure, Carolyn Ford.
“The key principle here is a zero-trust motto: ‘never trust, always verify’ particularly since the privileged user threat shows no sign of diminishing. Economic pressure leads to short-staffed companies, which leads to stressed employees who are more likely to cut corners in ways that threaten security. Especially now, real-time visibility into user access and actions should be non-negotiable.”