Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Insider Threats

04:00 PM
Connect Directly

Employees Still Get More Access Than They Need

Two surveys show how little enterprises enforce and track least-privilege policies.

Two new surveys out today show how easy enterprises make it for attackers to steal vast quantities of data with just a few successful breaches of employee machines: Employees typically are given far more access to sensitive data than they need to get their jobs done, and enterprises don't do enough to track access behavior.

That failure to enact the very fundamental security principle of auditable least-privilege only increases the risk profile of the employer.

The first report comes by way of the Ponemon Institute, which queried more than 1,000 end-users and 1,000 IT professionals about access patterns, on behalf of Varonis. It showed that among the 1,100 users surveyed, over 70 percent report that they have access to company data they shouldn't be able to see. And of those, more than half report that they use that access frequently. At the same time, among the IT professionals surveyed by Ponemon, four out of five of them report that their organizations don't enforce strict least-privilege data models.

Another survey, conducted by Courion among 35,000 IT executives, found those queried a little more initially optimistic about their enterprise least-privilege practices. Just over 70 percent reported that they thought their organizations enforced least-privilege policies. However, digging in further, approximately 43 percent did say that their organizations are unaware when access privileges are increased or when access behavior is anomalous.

The difficulty with offering too much access and failing to audit access behavior is twofold. Not only are there the natural worries of insider threats, but there is also the even more plausible concern about account privileges being misappropriated by outside attackers.

"This research surfaces an important factor that is often overlooked: Employees commonly have too much access to data, beyond what they need to do their jobs, and when that access is not tracked or audited, an attack that gains access to employee accounts can have devastating consequences,” says Larry Ponemon, chairman and founder of The Ponemon Institute.

According to the Courion survey, 97 percent of IT pros say that misused or stolen access credentials provide the network entry point for hackers. And just under a third of them say they're confident that their organizations are able to detect improper access.

Often when organizations lack the capabilities of granularly limiting or auditing access, they tend to default toward more open access models so as not to impede productivity. However, the more access that is provided, the higher likelihood that a small breach of an employee machine will escalate into a network-wide breach of sensitive data stores. Many enterprises find it difficult to strike a decent balance between strong identity and access management (IAM) and user work efficiency, says Kurt Jonson, vice president of corporate strategy for Courion.

"IT security executives are under tremendous pressure to provide open access to stakeholders while at the same time controlling access risks in the face of constant attacks," he says. "Beyond perimeter defense, effective identity and access management is the answer to minimizing the likelihood or impact of a data breach, and IAM is made much easier with the diagnostic capabilities of identity analytics and intelligence."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
12/10/2014 | 8:27:18 AM
Ghosts of the past return to haunt
Our biggest causes for least privilege policy failures for us has been
  • Situations where people were positioned in roles that provided specific access, then gained another role, and then at some point they were removed from the first role without notifying our IT access provisioning team.
  • Manpower drawdowns where an office reduces to only a small percentage of the original staff.  This has the affect of expanding accesses for those who remain AND impacts situations where separation of duties is a factor.

We are working on cleaning up processes around the first item, but the second item is a different kettle of fish.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-07
MobileIron Core and Connector before, 10.4.x before, 10.5.x before, 10.5.2.x before, and 10.6.x before, and Sentry before 9.7.3 and 9.8.x before 9.8.1, allow remote attackers to execute arbitrary code via unspecified vectors.
PUBLISHED: 2020-07-07
MobileIron Core and Connector before, 10.4.x before, 10.5.x before, 10.5.2.x before, and 10.6.x before allow remote attackers to bypass authentication mechanisms via unspecified vectors.
PUBLISHED: 2020-07-07
MobileIron Core and Connector before, 10.4.x before, 10.5.x before, 10.5.2.x before, and 10.6.x before allow remote attackers to read files on the system via unspecified vectors.
PUBLISHED: 2020-07-07
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affecte...
PUBLISHED: 2020-07-07
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not ...