Privileged users are often the weak link in the corporate security chain, despite their trusted positions, European companies were warned at the RSA security conference in London this week.
A survey of 270 medium and large European organisations conducted by research company Quocirca on behalf of IT management specialists CA, found that organisations remain unaware of the risks posed by privileged users such as IT managers or senior management, due to poor management, inefficient manual processes and lack of awareness.
Somewhat alarmingly, 41 percent of supposedly ISO27001 compliant organisations admitted non-compliant practices such as sharing privileged user accounts. And despite the availability of privileged user management (PUM) systems, only 26 percent of European organisations surveyed have actually deployed them in full.
“While such access (privileged access ) is necessary, it is most commonly managed on an ad hoc basis and, despite claims to pay heed to the requirements of regulators, requirements with regard to privileged users are often overlooked,” said Simon Godfrey, Director of Security Solutions at CA.
Godfrey warned that it was in the best interests of companies to have measures in place to control and monitor privileged users. “The deployment of PUM tools enables this and allows organisations to mature their use of PUM over time,” said Godfrey. “Privilege User management is key to compliance, to reducing risk exposure, and to protecting critical business applications.”
At the moment, it seems that in Europe 24 percent of organisations (29 percent in the UK) rely on forms of manual control for overseeing and controlling the actions of privileged users. But this is time consuming, expensive, unreliable, prone to error, and most importantly is a process that cannot be audited.
The survey also revealed that controlling and monitoring the activities of privileged users is well down on the list of priorities for IT managers at the moment. Survey respondents ranked PUM below seven other actual security threats to the organisation including malware, the Internet, internal users, and web 2.0 tools.
The survey also highlighted individual country differences. The French are the naughtiest in this regard, with 60 percent admitting they would most likely to share administrator accounts between individual administrators, followed by Belgium (also 60 percent), and the Netherlands (53 percent). The UK scored 38 percent.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
As an ISO27001 accredited IT firm I find that statistic pretty shocking!
Our approach to information security is the same as our approach to quality & environmental management standards; we integrate the necessary
procedures actually into our business software systems. You cannot rely on people to follow procedures to the letter, so instead you design the
processes such that the systems work neatly with the human procedural elements.
For example; our system will not let you put a server live if one of the
hard disks is labelled as "dirty" (used for customer data) in our asset management system. That status gets removed by running a script to dd zeros to the entire disk several times, but the procedure is mostly
automated, thus preventing human error. Other examples include our
complete logging and tracking of all users activity (regardless of privilege level) and fail safes to prevent mass downloading of sensitive databases.