User access credentials are prime targets for cyberthieves. Phishing and other social engineering attacks are all about obtaining access, and the advice you read about strong passwords and two-factor authentication is all about preventing bad actors from gaining access to your organization’s network.

But all user access is not created equal. What attackers really want is privileged access, such as administrator status. This access is what gives fraudsters the keys to the kingdom, which makes privileged identity management (PIM) a critical key to security. Unfortunately, according to recent data, organizations are not doing a good job of safeguarding these credentials.

Leaving the Keys in the Ignition

A study by One Identity revealed almost laughably bad practices regarding privileged access management. Nearly 1 in 5 organizations (18 percent) use paper logs to manage privileged credentials, while more than one-third (36 percent) rely on spreadsheets.

It gets worse: The vast majority (86 percent) of survey respondents indicated that they do not update privileged account passwords after using those accounts. Additionally, 40 percent said they leave default admin passwords for systems and infrastructure unchanged from the factory settings. For cyberthieves, this is roughly the equivalent to leaving your car with the keys in the ignition.

Keeping Sensitive Data Out of the Wrong Hands

Infosec Island noted that “the most severe breaches inevitably stem from powerful credentials (typically those logins used for administration) falling into the wrong hands.” The article detailed the key principles of privileged access management and outlined several things that organizations should be doing to keep credentials out of fraudsters’ hands, including:

  • Eliminating sharing of privileged credentials;
  • Holding individuals accountable for safeguarding these credentials;
  • Following a least privilege model for daily operations; and
  • Auditing the use of privileged credentials.

It’s important to note that the overwhelming majority of your users neither want nor need privileged access. In fact, most users don’t even know that administrator credentials and similar privileged accounts exist, let alone how to use them.

Your employees and other authorized users hate being barred from accessing websites and being prompted to come up with strong passwords. However, they normally don’t mind being denied privileged access because the last thing they want to do is mess with the system technically — they are happy to leave that stuff to IT.

Privileged Access Management Is Key to Robust Security

This is not to say that properly handling privileged access management is easy or free. Doing it right means taking time to think about how privileged access is handled. Large or complex networks might require a significant investment in tools to handle the mechanics and provide an audit trail, but improving privileged access management is one of the most critical steps organizations should take to minimize the risk of a serious, costly data breach.

Learn more about Privileged Account Management

More from Identity & Access

How to Keep Your Secrets Safe: A Password Primer

There are two kinds of companies in the world: those that have been breached by criminals, and those that have been breached and don't know it yet. Criminals are relentless. Today’s cyberattacks have evolved into high-level espionage perpetrated by robust criminal organizations or nation-states. In the era of software as a service (SaaS), enterprise data is more likely to be stored on the cloud rather than on prem. Using sophisticated cloud scanning software, criminals can breach an enterprise system within…

Making the Leap: The Risks and Benefits of Passwordless Authentication

The password isn't going anywhere. Passwordless authentication is gaining momentum, though. It appears to be winning the battle of how companies are choosing to log in. Like it or not, the security industry must contend with both in the future.  But for some businesses and agencies, going passwordless is the clear strategy. Microsoft, for instance, has recently stopped forcing users to use a password to access their account, which allows access to a wide range of Microsoft business and personal…

Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments

While cloud computing and its many forms (private, public, hybrid cloud or multi-cloud environments) have become ubiquitous with innovation and growth over the past decade, cybercriminals have closely watched the migration and introduced innovations of their own to exploit the platforms. Most of these exploits are based on poor configurations and human error. New IBM Security X-Force data reveals that many cloud-adopting businesses are falling behind on basic security best practices, introducing more risk to their organizations. Shedding light on…

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be achieved after successfully rolling out an identity strategy. They all talk about reduction in friction, improving users' perception of the…