Most North American organizations are over-confident in their ability to stop data breaches
- Published: Thursday, 30 May 2019 07:36
Centrify has announced the results of a new survey, conducted in partnership with TechVangelism, that indicate the majority of organizations are ill-prepared to protect themselves against privileged access abuse, the leading cyber attack vector. 79 percent of organizations do not have a mature approach to Privileged access management (PAM), yet 93 percent believe they are at least somewhat prepared against threats that involve privileged credentials. This overconfidence and immaturity are underscored by 52 percent of organizations surveyed stating they do not use a password vault, indicating that the majority of companies are not taking even the simplest measures to reduce risk and secure access to sensitive data and critical infrastructure.
The survey of 1,300 organizations across 11 industry verticals in the US and Canada reveals that most organizations are fairly unsophisticated and still taking PAM approaches that would best be described as ‘non-existent’ (43 percent) or ‘vault-centric’ (21 percent). More sophisticated organizations take an ‘identity-Centric’ (15 percent) approach that tries to limit shared and local privileged accounts, replacing them with centralized identity management and authentication with an enterprise directory. The most protected organizations are considered ‘mature’ (21 percent) because they address PAM by going beyond vault- and even identity-centric techniques by hardening their environment further via a number of initiatives (e.g., centralized management of service and app accounts and enforcing host-based session, file, and process auditing).
The survey also revealed some specific insights about the solutions being used to control privileged access, including:
- 52 percent of organizations are using shared accounts for controlling privileged access.
- 58 percent of organizations do not use multi-factor authentication (MFA) for privileged administrative access to servers.
- 51 percent of organizations do not control access to transformational technologies with privileged access, including modern attack surfaces such as cloud workloads (38 percent), big data projects (65 percent), and containers (50 percent).
Looking at organizations’ PAM maturity by industry, some surprises emerged:
- 39 percent of technology organizations have a non-existent approach to PAM.
- Two highly-regulated industries, healthcare (45 percent) and government (42 percent), also scored high for non-existent PAM maturity.
- Finance (27 percent) unsurprisingly scored highest in the mature category, followed by energy/utilities (26 percent), and then technology (25 percent), as well as healthcare (22 percent).
- Professional services is taking a highly vault-centric approach to PAM at 29 percent of organizations.