Light Dark
January 12, 2018 By Rick M Robinson 2 min read
Identity & Access

User access credentials are prime targets for cyberthieves. Phishing and other social engineering attacks are all about obtaining access, and the advice you read about strong passwords and two-factor authentication is all about preventing bad actors from gaining access to your organization’s network.

But all user access is not created equal. What attackers really want is privileged access, such as administrator status. This access is what gives fraudsters the keys to the kingdom, which makes privileged identity management (PIM) a critical key to security. Unfortunately, according to recent data, organizations are not doing a good job of safeguarding these credentials.

Leaving the Keys in the Ignition

A study by One Identity revealed almost laughably bad practices regarding privileged access management. Nearly 1 in 5 organizations (18 percent) use paper logs to manage privileged credentials, while more than one-third (36 percent) rely on spreadsheets.

It gets worse: The vast majority (86 percent) of survey respondents indicated that they do not update privileged account passwords after using those accounts. Additionally, 40 percent said they leave default admin passwords for systems and infrastructure unchanged from the factory settings. For cyberthieves, this is roughly the equivalent to leaving your car with the keys in the ignition.

Keeping Sensitive Data Out of the Wrong Hands

Infosec Island noted that “the most severe breaches inevitably stem from powerful credentials (typically those logins used for administration) falling into the wrong hands.” The article detailed the key principles of privileged access management and outlined several things that organizations should be doing to keep credentials out of fraudsters’ hands, including:

  • Eliminating sharing of privileged credentials;
  • Holding individuals accountable for safeguarding these credentials;
  • Following a least privilege model for daily operations; and
  • Auditing the use of privileged credentials.

It’s important to note that the overwhelming majority of your users neither want nor need privileged access. In fact, most users don’t even know that administrator credentials and similar privileged accounts exist, let alone how to use them.

Your employees and other authorized users hate being barred from accessing websites and being prompted to come up with strong passwords. However, they normally don’t mind being denied privileged access because the last thing they want to do is mess with the system technically — they are happy to leave that stuff to IT.

Privileged Access Management Is Key to Robust Security

This is not to say that properly handling privileged access management is easy or free. Doing it right means taking time to think about how privileged access is handled. Large or complex networks might require a significant investment in tools to handle the mechanics and provide an audit trail, but improving privileged access management is one of the most critical steps organizations should take to minimize the risk of a serious, costly data breach.

Learn more about Privileged Account Management

 |  |  |  | 
Rick M Robinson

More from Identity & Access
April 23, 2024

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

April 16, 2024

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

March 5, 2024

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature