Mismanaged privileged passwords are costing firms
millions of pounds a year.
Research from information management firm Cyber-Ark and analyst
firm IDC said
privileged passwords - the non-personal, shared and administrative
passwords that exist in virtually every device or software
application in an enterprise - are unknowingly losing firms large
amounts of cash every year, due to costly outages,
labour-intensive work, legal liability and audit deficiencies
related to mismanaged passwords.
To simply maintain and update privileged passwords, the report
estimated the typical large enterprise spends more than $500,000
(£263,000) each year.
The problems and losses are summarised in a white paper by IDC,
sponsored by Cyber-Ark, titled Privileged Password Management:
Combating the Insider Threat and Meeting Compliance Regulations for
the Enterprise.
The report said privileged passwords, if unchecked, can be “an
unmitigated security threat for an organisation”.
The report also found that the manual updating of privileged
passwords can cost over $500,000 for US Fortune 2000 companies.
There is also a general lack of strict policies for creating and
varying privileged passwords, which could aid in the prevention of
costly security breaches, said the report.
Also, many passwords are generic in nature and lack the
personalisation necessary for tracking and auditing purposes. And
most organisations today use the same password for many systems and
devices, creating a common security hole that can be exploited by
external hackers.
IDC estimates that it takes around $30 (£15.80) in man hours to
change the Sys-admin password on a single Microsoft Exchange
Server.
“Our research shows that managing privileged passwords is a
security conundrum,” said IDC analyst Sally Hudson. “IDC believes
that the risk can be significantly mitigated by implementing
policies which demand special treatment for privileged passwords,”
she said.
“These include the ability to disable an employee's system
access promptly upon employee termination; enforcing a company-wide
password change on a regular basis; and implementing reliable
auditing and reporting systems,” she said.
A copy of the report can be accessed at:
www.cyber-ark.com/idc.asp
Password management improves compliance
Comment on this article:
computer.weekly@rbi.co.uk