Even as organizations worry about attackers and cyber-spies going after sensitive data, a recent Ponemon Institute survey found that employees still have too many data-access privileges.
still fail to adequately manage user privileges and protect sensitive data,
exposing them to the risks of data breaches, according to a study from
Hewlett-Packard and the Ponemon Institute.
A survey of
5,500 IT professionals around the world found that more than half the
organizations were still giving employees access to sensitive, confidential
data they didn't need to perform their jobs, Ponemon Institute said in a report
released Dec. 12. The survey looked at professionals in a variety of IT roles,
such as operations and security management, in 13 countries, including the
United States, the United Kingdom, Germany and France.
More than half
the respondents say they have access to company data beyond the scope of their
job requirements, the survey found. Examples included giving a network
administrator access to payroll data or a database administrator access to the
percent of the respondents admitted they would look at the data out of
curiosity. Many of the organizations did not revoke privileged access after the
employee's role or job function changed and they didn't need the data anymore,
the report found.
study spotlights risks that organizations don't view with the same tenacity as
critical patches, perimeter defense and other security issues, yet it
represents a major access point to sensitive information," said Tom
Reilly, vice president and general manager of the Enterprise Security Products
group at Hewlett-Packard, which sponsored the study.
often focus their defenses on stopping external intruders from gaining access
to sensitive data, often forgetting that an outsider who has breached the
network will look like an insider, a legitimate employee, Ira Winkler,
Codenomicon's chief security strategist, told eWEEK.
Organizations shouldn't worry about who is trying to
penetrate their systems as much as focusing on how data can be compromised and
protect the data accordingly. In most cases, that involves managing who has
access to the data in the first place, according to Winkler.
business data" such as documents, spreadsheets, emails and other sources
of unstructured data were most at risk for snooping, followed by customer data,
according to the survey. Mobile, social media and business-unit-specific
applications were most targeted. The findings are consistent with a recent
Symantec report on malicious insiders who steal corporate data. Business
information-such as billing information, price lists and other administrative
data-was stolen in 30 percent of the real-world incidents examined in the
was often a "culture" problem, according to Ponemon Institute founder
and chairman Larry Ponemon. "Somehow, privileged users think they have a
right to access," Ponemon said. In the study, 68 percent of respondents
said they were "empowered" to access sensitive data.
About a third
of the respondents said access-governance policies are in place and strictly
enforced. Few organizations had the technology in place to control access or
manage how data-access privileges are being used, according to the report.
percent of respondents said their organizations have technology-based identity
and access controls to detect when root-level or system administration access
rights are being shared among users. About 24 percent of the survey responders
said their organizations combined technology with a business process to control
user access. However, 15 percent of the professionals in the survey admitted
that access was not really controlled within the organization, and 11 percent
said they couldn't detect when access rights were being shared.
percent of respondents said a security information and event management (SIEM)
platform was critical to governing, managing and controlling privileged user
access rights, the survey found. However, the high cost of monitoring and the
difficulty in validating changes to a user's access rights made proper
privilege management a challenge, according to HP.
had difficulty keeping pace with change requests and had inconsistent approval
processes, the survey found. It was also necessary to improve how they
identified policy violations and enforced policies across all business units.
There also seemed to be some disagreement as to who was in charge of user
access management, with 47 percent saying IT was responsible for granting
access rights and 40 percent saying the responsibility belonged to the business
positive note, these organizations were revoking access rights as soon as the
employees quit or were laid off, the survey found. Only 17 percent of the
respondents thought it was likely that the former employee would continue to be
able to access data.
The risk to
the organization caused by the incorrect levels of access being granted to
employees would increase over the next 12 to 24 months, according to 42 percent
of respondents in the survey. An equal number of users said the risk would not