Half of all organizations fail to audit privileged account activity, according to a report by Cybersecurity Ventures and Thycotic. The companies co-sponsored the 2016 State of Privileged Account Management report which shows that although companies say they recognize the importance of securing privileged accounts, practices are often stuck in the past.
The report is based on a Privileged Password Vulnerability Benchmark survey, which showed that 76.5 percent of companies consider privileged account management (PAM) security a high priority, and 60 percent have PAM-related regulatory requirements, yet 7 out of 10 do not require approval for creating new privileged accounts.
“Weak privileged account management is a rampant epidemic at large enterprises and governments globally,” Steve Morgan, founder and CEO at Cybersecurity Ventures said in a statement. “Privileged accounts contain the keys to the IT kingdom, and they are a primary target for cybercriminals and hackers-for-hire who are launching increasingly sophisticated cyber-attacks on businesses and costing the world’s economies trillions of dollars in damages. We expect the needle on automated (PAM) solutions adoption to move fairly quickly into the 50 percent range over the next two years.”
Three out of 10 organizations allow accounts and passwords to be shared; three out of 10 have no formal password controls, and four out of 10 use the same security for privileged and standard accounts.
Nearly one in five organizations have never changed the default passwords on their privileged accounts, and while many of the report’s findings are unsettling, this practice is so obviously negligent that one has to wonder about possible legal ramifications. Clients, partners, and shareholders of any given business should have assurances that it will not be brought to a standstill and suffer major losses from a years-old “admin” password.
Only 10 percent of those surveyed have implemented commercial automated PAM security, perhaps in part because 30 percent say they have not communicated the importance of following IT security policies to stakeholders.
The PAM report also puts a new spin on previous reports like the Ping Identity study from late 2015 which showed enterprise employees often share credentials for devices they do work on with family members and commonly reuse passwords. If the organization neglects basic credential controls, it is unrealistic to expect employees to pick up the slack.