People are never satisfied are they? They want security, but they don’t want the weight of all that armor.
Our annual Privileged Access Management survey showed up some interesting results around the proliferation of admin rights in the workplace. Between May and June 2017, 474 IT professionals told us that even though they were highly suspicious of too many administrators on their network, their organizations allowed it anyway.
We all know that more admin rights in more places means more headaches and more cracks through which adversaries can slip through. Our respondents did too – 71%, nearly three quarters, called it a high risk for their firms; a further 21% said that it caused frequent security problems. Despite all this, 38% admitted they work within organizations that allow users to have admin access. Perplexing, no?
This is the kind of perpetual contradiction that so many people within IT face. We all know that liberally granted admin rights lead to trouble, but it's also troubling to be seen as an encumbering force within an organization that's devoting its energy to efficiency.
More on that later. To start with the problem at hand, more admin rights means granting more people the keys to the kingdom, which whether they know it or not, leaves them with enormous power and potential for destruction. It means more holes in your organization and more paths for an attack to spread.
Obviously, you want as few of these as possible and you want those with admin rights to be well defined and rigorously enforced. Even bosses don’t strictly need administrator privileges and as hard as it might be to tell that to your employers, they’re often safer without those rights.
If some unfortunate user with admin rights clicks on the wrong link and finds him or herself the patient zero of a ransomware attack, the account can then spread its infection to the users it has admin rights over. Proliferate admin rights are the catalyst to full business paralysis, which our survey showed has cost respondents over £4 million in the last two years. Not good.
Cyber-criminals will be looking for these special individuals. The new version of the Petya ransomware can devastate networks when deployed on an admin account, overwriting the Master Boot Record and preventing a system from starting until the ransom is paid. The revelation here is not just the damage it can do if aimed at the right user, but how simple it is to prevent. Merely removing admin rights or running a reigning in privileges can pretty much nip this in the bud.
It's not just the case with user’s excessive rights. Bad password practices must also be considered. The same study revealed that 79% of organizations who responded to the survey report that users share passwords with other users.
Also there’s the problem of a rogue user, whether malicious or foolish, tampering with security settings, accessing files they shouldn't or otherwise messing with important parts of the network.
It should be said that our survey’s respondents were not just onlookers, but people who were centrally concerned with this area: 83% ranked privileged account management as extremely important factor in their jobs, perhaps suggesting that basic user rights are often not enough for people to do their jobs.
People struggle with the difference between home computing, where you can do pretty much anything you want, and the often rigid rules of using their employer’s tech.
While the line between those two worlds is quickly eroding, the distinction is an important one. Users are free to download, share and configure whatever they want at home - the masters of their own destiny - but the office, and even BYOD, requires a strict enforcement of position and access rights when it comes to computing.
This, quite understandably, is vexing to many users, and bosses, who find those policies to be frustrating barriers obstructing an efficient workflow. To be fair, they often are. Not being share documents with certain accounts, or use and update particular kinds of software can be a real pain in the ass to those who don’t understand the reason for these rules.
Still, it's a border which must be enforced, even in organizations with a generous BYOD policy. That said any security policy must revolve around those that are going to be grappling with it. Anything that's too rigid will also be brittle and shatter when thrown into the hands of a user.
As an organization’s security needs evolve, rights and privileges can be doled out over time and securely. Any security policy must be flexible enough to withstand what employees need to do their jobs, but that doesn't have to mean granting them the keys to the kingdom.