A fundamental lack of IT security awareness in enterprises, particularly in the arena of controlling privileged logins, is potentially paving the way for a further wave of data breaches. Just over 13% of IT security professionals in a survey from Lieberman Software admit to being able to access previous employers’ systems using their old credentials.
Of those who can still access their former employers’ systems, nearly 23% can get into their previous two employers’ systems using old credentials. And, shockingly, more than 16% admit to still having access to systems at all previous employers.
“Investments in security for technology, people and processes have been meager, at best, in most organization for many years,” Philip Lieberman, CEO and president of the company, told Infosecurity in an interview. “With an eye on ROI rather than maintaining continuity (although I could counter with the question ‘what’s the ROI on remaining in business?’), many C-level executives have been strongly discouraged from implementing anything other than the minimum security required by law.”
When an employee does leave the company, it’s imperative to ensure that he or she is not taking the password secrets that can gain access to highly sensitive systems. Yet, nearly one in five (more than 16%) of respondents admit that they do not have, or don't know if they have, a policy to ensure that former employers and contractors can no longer access systems after leaving the organization.
The good news in the report is the fact that the remaining 84% of organizations do have a policy to ensure contractors cannot access corporate systems after they leave the company. But that’s still a bare minimum for what should be done.
Current employees are of concern as well: almost one quarter of employees surveyed said that they work in organizations that do not change their service and process account passwords within the 90-day time frame commonly cited as best practice by most regulatory compliance mandates. Lieberman pointed out that users who run with elevated privileges can introduce all sorts of IT headaches by downloading and installing applications, and changing their system configuration settings. An organization would be wise to strictly control and monitor the privileged actions of its users.
“First, get control over privileged accounts,” counselled Lieberman. “Start by generating unique and complex passwords for every individual account on the network – and changing these passwords frequently (no more shared or static passwords). Then, make sure you’re securely storing current passwords and making them available only to delegated personnel, for audited use, for a limited time (no more anonymous and unlimited privileged access – for anyone).”
Better still, companies should automate the entire process with an enterprise-level privileged identity management approach.
“In addition to standard security protocols, it’s becoming critical to develop a risk score for your privileged users,” explained Lieberman. “That way, when users exhibit poor behavior while logged into their powerful privileged accounts, you can be immediately alerted and respond to the threat.”
In the wake of the Edward Snowden NSA scandal, and of the Target breach, which originated with a compromise of privileged access given to a contractor, one would think that corporations would feel that minimizing the insider threat and the attempts of sophisticated criminal hackers to groom those with privileged accounts would be of tantamount importance. But, Lieberman said that fundamental attitudes toward breaches tend to run to the reactive rather than the preventative. He cited a “half-life mentality of opening the pocketbook for security investments immediately after a data breach occurs, but then diminishing back to basic security after a few months.”