- Survey of more than 1,000 IT security professionals from around the world including Australia reveals widespread lack of confidence in access control and privileged account management programs
- Over one in four (26 per cent) organisations in Australia rely on alarmingly antiquated processes including manual methods and spreadsheets to manage privileged accounts
- One in 20 organisations have no way of knowing if users retain access even after they’ve left the organisation
- Only 6 per cent of Australian security professionals surveyed said they were completely confident their organisation wouldn’t get hacked due to an oversight issue
- 1 in 10 IT security professionals admit it takes more than 30 minutes to reset a single password
One Identity has released new global research that uncovers a widespread inability to implement basic best practices across identity and access management (IAM) and privileged access management (PAM) security disciplines — likely exposing organisations to data breaches and other significant security risks. Conducted by Dimensional Research, One Identity’s “Assessment of Identity and Access Management in 2018” study polled more than 1,000 IT security professionals from mid-size to large enterprises from North America, the UK, Germany, France, Australia, Singapore and Hong Kong on their approaches, challenges, biggest fears and technology deployments related to IAM and PAM.
Among the survey’s most surprising findings are that nearly one-third of organisations globally and 26 per cent of Australian organisations are still using manual methods or spreadsheets to manage privileged account credentials. When asked if they had any way of knowing if employees were fully deprovisioned when they leave their company or change roles, 4 per cent of Australian IT security professionals admitted they have no way of knowing if a user is fully deprovisioned when they leave the company or change their role. Additionally, a single password reset takes more than 30 minutes to complete in nearly 1 in 10 IT environments.
These and other findings paint a bleak picture of how many organisations approach IAM and PAM programs, indicating that critical sensitive systems and data are not properly protected, user productivity is hindered, and potential threats from mismanaged access remain a major challenge. Additional top findings from the report include:
- Privileged account practices are poor — and IT security teams know it.
While 26 per cent of Australian businesses are using manual administrative account management methods, only 1 per cent of Australian organisations do not manage administrative accounts at all. Nearly three-fourths (74 per cent) of Australian organisations grant privileged account access to third-party partners, contractors or vendors; and 74 per cent surveyed admit IT security professionals share privileged passwords with their peers at least sometimes, with 23 percent admitting this is usually or always the case.
Ineffective administrative account management practices coupled with careless sharing of passwords governing of these accounts demonstrates major gaps in PAM programs across the board, and IT security professionals seem to be aware of their shortcomings. The survey found that only 6 per cent of Australian respondents are completely confident in their PAM programs, while more than 1 in 4 (26 per cent) are not confident at all.
- Organisations are letting basic access tasks and responsibilities slip — potentially impacting user productivity.
The research found that 75 per cent of Australian users’ password resets take five minutes or longer to unlock, with nearly 1 in 10 (8 per cent) admitting the task takes more than 30 minutes, implying widespread hindrance to employee productivity. When it comes to new user provisioning, 44 per cent of organisations take from several days to multiple weeks to provide access across all applications and systems needed.
Worse, nearly one-third (30 per cent) of Australian IT organisations take somewhere between several days to multiple weeks to deprovision former users from all of the applications and systems they were granted access to, with 4 per cent having no way to know if the user has been fully deprovisioned at all. While the majority of global respondents rate all aspects of their access control program as excellent or fair, only 15 per cent are completely confident that they will not be hacked due to an access control issue.
- IT security pros top fear is disgruntled employees sharing sensitive data — but most admit it’s easy to steal.
When asked to share their worst IAM nightmare, the most common answer from Australian organisations (at 31 per cent) was a disgruntled employee sharing sensitive information, followed by having their CIO interviewed on TV following an IAM-cause data breach (25 per cent) and usernames and passwords being posted to the dark web (17 per cent). Ironically, more than three quarters (77 per cent) of the IT security professionals polled admitted that it would be easy for them to steal sensitive information if they were to leave their organisation, with 7 per cent admitting they would do if they were mad or upset enough.
“Our research uncovered a number of shocking results across the world but particularly in Australia. In a time when major enterprises and small businesses are reporting breaches, it’s concerning to see that companies are still not prioritising security measures such as privileged access management. IT teams in Australia are still sharing privileged passwords internally and externally, failing to immediately deprovision old user accounts, and spending upwards of 30 minutes to reset employees’ passwords. These habits are not only concerning from a security standpoint, but should also raise warning flags around employee productivity,” said Serkan Cetin, Regional Manager, Technology & Strategy at One Identity APJ.
“Organisations that fail to address basic IAM and PAM best practices may not only expose themselves to significant security risks, but with legislations like GDPR and Mandatory Data Breach Notification in place, major financial and legal implications can stem from a lapse in security judgement. This research should serve as a wake-up call to organisations to seek ways to ensure, manage, and secure appropriate access across the entire organisation and user population – end users, third parties and administrators.”
Improving IAM and PAM Practices
Stealing user credentials is one of the easiest ways for malicious actors to gain entry into an organisation’s network. Among the most coveted accounts are privileged (administrative) accounts, which may grant virtually unlimited access to a company’s IT infrastructure, including its most critical and sensitive systems and data. The more accounts available to bad actors, the more damage can potentially be done, including data breaches and leakage, compliance violations, fines and loss of brand-trust and reputation.
Effective IAM and PAM are critical components to any organisations’ security strategy; but the Assessment of Identity and Access Management in 2018 Study shows businesses are still struggling to do so. One Identity offers an end-to-end suite of access management, identity governance, privileged access management and identity-as-a-service solutions designed to eliminate the complexities and time-consuming processes often required to govern identities, manage privileged accounts and control access.
About the One Identity Assessment of Identity and Access Management in 2018 Study
The One Identity Assessment of Identity and Access Management in 2018 study consisted of an online survey conducted by Dimensional Research of IT professionals in mid-size to large organisations with responsibility for security and who are very knowledgeable about IAM and privileged accounts. A wide variety of questions were asked about experiences and challenges with IAM. A total of 1,005 individuals from the U.S., Canada, U.K., Germany, France, Australia, Singapore and Hong Kong completed the survey.
One Identity offers a free online executive summary of the data in a Key Findings Report. These materials can be found here.
About One Identity
One Identity, a Quest Software business, helps organisations get identity and access management (IAM) right. With a unique combination of offerings including a portfolio of identity governance, access management and privileged management, and identity as a service that help organisations reach their full potential, unimpeded by security yet safeguarded against threats. One Identity has proven to be a company unequalled in its commitment to its customers’ long-term IAM success. More than 7,500 customers worldwide depend on One Identity solutions to manage more than 125 million identities, enhancing their agility and efficiency while securing access to their data — wherever it might reside. For more information, visit http://www.oneidentity.com.