According to new research, many organizations around the globe continue to struggle with implementing Identity and Access Management (IAM) best practices, leaving them exposed to significant security risks.
The study, which was sponsored by IAM solutions provider One Identity, polled more than 1,000 IT security professional at organizations ranging in size from mid-sized businesses to large enterprise and found widespread lack of confidence in access control and privileged account management (PAM) programs. Among some of the study’s specific findings included:
- One in three (31 percent) organizations rely on antiquated processes including manual methods and spreadsheets to manage privileged accounts;
- One in 20 organizations have no way of knowing if users retain access even after they’ve left the organization;
- And, 1 in 10 IT security professionals admit it takes more than 30 minutes to reset a single password.
In addition to 31 percent of businesses using manual administrative account management methods, 1 in 25 organizations do not manage administrative accounts at all. Two-thirds (66 percent) of organizations grant privileged account access to third-party partners, contractors or vendors and 75 percent admit IT security professionals share privileged passwords with their peers at least sometimes, with one in four admitting this is usually or always the case.
The survey also found that only 13 percent of respondents are completely confident in their PAM programs, while more than 1 in 5 (22 percent) are not confident at all.
Organizations Allow Basic Access Tasks and Responsibilities to Slip
Sixty-eight percent of those surveyed reported that user password resets take five minutes or longer to unlock, with nearly 1 in 10 (9 percent) admitting the task takes more than 30 minutes, implying widespread hindrance to employee productivity. When it comes to new user provisioning, 44 percent of organizations take from several days to multiple weeks to provide access across all applications and systems needed.
Worse, nearly one-third (32 percent) of IT organizations take somewhere between several days to multiple weeks to deprovision former users from all of the applications and systems they were granted access to, with one in 20 having no way to know if the user has been fully deprovisioned at all. While the majority of respondents rate all aspects of their access control program as excellent or fair, only 15 percent are completely confident that they will not be hacked due to an access control issue.
Theft of Sensitive Data a Primary Concern
When asked to share their worst IAM nightmare, the most common answer (at 27 percent) was a disgruntled employee sharing sensitive information, followed by having their CIO interviewed on TV following an IAM-cause data breach (22 percent) and usernames and passwords being posted to the dark web (18 percent). Ironically, nearly 8 in 10 (77 percent) of the IT security professionals polled admitted that it would be easy for them to steal sensitive information if they were to leave their organization, with 12 percent admitting they would do if they were mad or upset enough.
“Our research revealed a number of shocking findings including extensive sharing of privileged passwords internally and externally, failure to immediately deprovision old user accounts, and spending upwards of 30 minutes to reset a password. These poor practices are incredibly real and concerning risks to any organization, so it’s no surprise that there is a general lack of confidence in the effectiveness of IAM and PAM programs,” John Milburn, President and General Manager of One Identity, said in a statement “The fact of the matter is that organizations that fail to address these basic IAM and PAM best practices may not only expose themselves to significant security risks, but also drive business productivity down. This research should serve as a wake-up call to organizations to seek out ways to ensure, manage, and secure appropriate access across the entire organization and user population – end users, third parties and administrators.”
To learn more about the study or to download a copy of the full results, click here.
