“The Insecurity of Privileged Users,” a soon to be released global benchmark study sponsored by HP Enterprise Security and independently conducted by the Ponemon Institute, examines the inherent risk caused by a lack of control and oversight of privileged users in the workplace and what should be done to minimise this risk. The global study focused on more than 5,000 IT operations and security managers defined as having broad-access rights to IT networks, enterprise systems, applications and information assets based on their organisational roles and responsibilities.
Jay Huff, EMEA director of HP enterprise security products, talked SearchNetworkingUK through the biggest UK challenges for network support engineers, based on the research findings.
Statistic 1: In the UK, 64% of privileged users access sensitive or confidential data because of their curiosity, and 68% of privileged users believe they are empowered to access all the information they can view.
Jay Huff: Network support engineers have a tough dilemma here because the balance of determining who needs what privileges is a tough task to get right. Firms considered too heavy-handed face low morale and potentially slower processes as permission is continuously sought. However, data does need protection and networks must find ways of achieving this as easily as possible. Perhaps the best way of doing this is to run regular audits. Curiosity should not be allowed to permit data breaches and such empowerment should not be abused. Network engineers must work alongside database administrators and IT security practitioners to ensure best practice. If such lax attitudes remain, networks will continue to be open to attacks from the same curiosity that leads to data breaches."
Statistic 2: In the UK, only 32% of those surveyed believe that their organisation's access governance policies are strictly enforced, whilst 58% believe that customer data is the most at risk in the organisation due to the lack of proper access controls over privileged users (the highest percentage in the markets surveyed).
Huff: "This study spotlights risks that organisations don’t view with the same tenacity as [they do] critical patches, perimeter defense and other security issues, yet [breaches from privileged users] represent a major access point to sensitive information. Such a perceived lack of control should be a major concern for anyone running a major network in any business because it clearly shows the immaturity and risks many have left open. Customer information and general business data are at the highest risk, and the most threatened applications included mobile, social media and business unit-specific applications. If I was a network support engineer right now, I would advocate a bottom-up approach, monitoring everything that happens on that infrastructure, rather than the top-down approach, which is not really working. The recent changes in the IT ecosystem affect the need for strong authentication and network intelligence technologies, including SIEM, and these findings show that privilege should be added and removed according to need and not just be assumed from the start. The plethora of new devices entering networks nowadays is a threat to any firm’s underlying structure if they are not handled properly."
Statistic 3: In the UK, only 15% of respondents are confident that their organisation can determine if users are compliant with policies.
Huff: "This is perhaps the most concerning statistic and really should ring alarm bells for network support engineers. It represents a clear lack of understanding for how to work on a network and keep the company safe from any leaks, hacks or phishing attacks. Clearly user privilege management needs to be re-addressed. There is a feeling that because modern day employees want to be able to communicate on-the-go and operate social media, an access policy does not need to be so strict. However, this is far from the case. Network support engineers must fight for security and keep it at the top of any IT agenda. There are ways of acquiring fresh new talent without sacrificing on IT privileges and having strong data governance principles at the heart of a business. It’s simply careless to let users behave outside of their remit and potentially leave a network open to an unsolicited assault that could easily have been prevented in the first place."