|Management of privileged users should not be left to IT|
|All default privileged user accounts should be closed|
|No privileged user accounts should be shared|
|Privileges should be kept up to date, limited to real needs|
|Businesses should enforce segregation of duties for privileged users|
|Log files should be secure to prevent tampering by privileged users|
|Automated tools should be used to enforce best practices|
Bad practice in managing privileged IT users is threatening the security of European organisations, a study has revealed.
Despite their trusted position, privileged users are frequently the weakest link in the corporate security chain, according to the study by research firm Quocirca.
Poor management, inefficient manual processes and lack of awareness are widespread in over 270 European companies polled in a survey commissioned by IT management software firm, CA.
"Privileged users are prime target for hackers because they hold the keys to the kingdom," said Tim Dunn, vice-president of CA's security management business in EMEA.
For this reason it is important for businesses to manage privileged users more effectively instead of relying on them to police themselves, he said.
The fact that any mistake by a privileged user can have a serious operational or security impact on the business and the fact that these users can turn rogue, are another two key reasons for the business to ensure greater control, said Bob Tarzey, analyst and director at Quocirca.
The study revealed that although most European businesses are adopting IT management standards like ISO 27001, 36% of those certified admitted to non-compliant practices such as sharing privileged user accounts and using default user names and passwords for these accounts.
An average of 50% of survey respondents admitted that their organisations allowed the sharing of privileged accounts across the various IT systems including databases and security applications.
Only 44% of UK organisations could confirm that administrator accounts were not shared.
"Where privileged accounts are shared, businesses have no idea who is doing what, so there is no real accountability," said Tarzey.
Many organisations are failing to monitor the actions of privileged users and some are not even aware of all the privileged user accounts that are in operation, he said.
The survey showed that some 60% of organisations that claimed to have implemented the ISO 27001 standard had no tools to control privileged users.
Despite the availability of privileged user management systems, only 26% of European organisations surveyed have deployed them in full.
"The biggest reasons are lack of budget, lack of awareness of the threat, lack of expertise and failure to see IT security as a business enabler," said Tarzey.
According to Tarzey, the introduction of automated tools is the only way businesses can hope to manage privileged users effectively.
The survey revealed that 29% of UK organisations rely on manual controls, but these are time-consuming, expensive, unreliable and most importantly un-auditable, said Tarzey.
Businesses need to use purpose built tools to manage users accounts, assign privileged user account access and provide continual monitoring of privileged user activity, he said.