The Very Best Companies are Twice as Efficient in Managing Privileged
Access – Study Reveals Why
the leading cyber security company dedicated to preventing privilege
misuse and stopping unauthorized access, today unveiled the results of
its definitive Privilege Benchmarking Study based on a worldwide survey
of IT professionals. The study demonstrates a widening gulf between
organizations that adhere to best practices for privileged access
Over 500 senior IT, IS, legal and compliance experts were asked about
their privileged access management practices. Their responses were
divided into two tiers based on industry best practices, with top-tier
companies distinguishing themselves as far better prepared to mitigate
the impact from data breaches. A summary of the findings is included
Password and Credential Management: Only 14 percent regularly cycle
their passwords, leaving systems exposed to breaches
With 63 percent (2016 Verizon DBIR) of confirmed data breaches involving
weak, default or stolen passwords, it’s never been more important to
apply discipline and accountability over enterprise credentials.
Top-tier companies were much more likely to have a centralized
password management policy – 92 percent of them do, in contrast with
just 25 percent of bottom-tier organizations.
Password cycling is also much more common among top-tier businesses;
76 percent of top-tiers frequently have passwords changed, whereas
only 14 percent of bottom-tiers do.
Credential management formed another point of distinction, with nearly
three-quarters (73 percent) identifying themselves as efficient in
this area, compared to 36 percent of the bottom-tier companies.
Session Monitoring: Just 3 percent watch/terminate sessions in real
time – how do you stop a possible breach in time?
When it comes to real-time monitoring and restriction of access, the
top-tier companies are far ahead.
More than two-thirds of top-tier companies (71 percent) can monitor
privileged user sessions, and 88 percent can restrict access with a
measure of granularity.
Among bottom-tiers, fewer than half (49 percent) can monitor sessions,
and only 37 percent have granular capabilities to restrict access.
Evaluation of Risk: Amazingly, 52 percent “just know” what the risks
are, but aren’t doing enough about it
Perhaps the starkest contrast between top-tier and bottom-tier
organizations can be illustrated in how – or whether – risk is scored in
determining application privileges.
Among top-tier organizations, fully 9 out of 10 grant privileges to
apps rather than users. Among bottom-tier companies, this falls to 46
While it’s vital to evaluate the risks posed by individual apps and
systems, only 6 percent of bottom-tier companies have tools that
provide this capability – and, shockingly, 52 percent “just know” what
the risks are. Meanwhile, more than half of top-tier companies (57
percent) can make these assessments.
Top-tier companies are also more likely to actually conduct
vulnerability assessments; 91 percent do, compared to just 20 percent
of bottom-tier organizations.
Despite the risks of leaving users and systems with unmanaged access to
network resources, only 9 percent of bottom-tier companies have an
enterprise solution in place for managing privileged access, and more
than one-third do nothing at all. Among the top-tier companies, however,
78 percent have an enterprise solution in place.
Federal Government Vulnerable to Breaches
The survey also found that despite a high level of awareness of the
threat, federal government agencies leave themselves open to attack.
Seventy-two percent of government responders believe that there would be
a high risk to general business and mission information if organizations
lacked proper access control for privileged users. The federal
government has implemented mandates such as FISMA and CSIP to address
various attack vectors within agency networks. Yet, respondents also
report that 20 percent of users have more privileges than they need.
These results highlight an opportunity for improvement in adopting
processes and technologies to further secure privilege access in Federal
What Organizations Can Do to Close the Gap Between Their Practices
and Best Practices
For organizations looking to reduce the risk of a damaging data breach
as a result of privilege abuse or misuse, BeyondTrust has developed five
recommendations based on the Privilege Benchmarking Study:
Be granular: Implement granular least privilege policies to balance
security with productivity. Elevate applications, not users.
Know the risk: Use vulnerability assessments to achieve a holistic
view of privileged security. Never elevate an application’s
privileges without knowing if there are known vulnerabilities.
Augment technology with process: Reinforce enterprise password
hygiene with policy and an overall solution. As the first line of
defense, establish a policy that requires regular password rotation
and centralizes the credential management process.
Take immediate action: Improve real-time monitoring of privileged
sessions. Real-time monitoring and termination capabilities are
vital to mitigating a data breach as it happens, rather than simply
investigating after the incident.
Close the gap: Integrate solutions across deployments to reduce
cost and complexity, and improve results. Avoid point products
that don’t scale. Look for broad solutions that span multiple
environments and integrate with other security systems, leaving fewer
“This study confirms one of the unfortunate truths about data breaches
today – namely, that many of them are preventable using relatively
simple means,” said Kevin Hickey, President and CEO at BeyondTrust.
“Companies that employ best practices and use practical solutions to
restrict access and monitor conditions are far better equipped to handle
today’s threat landscape.”
Privilege Benchmarking Study
For more information on the Privilege Benchmarking Study, including a
summary infographic and results paper, please visit: https://www.beyondtrust.com/resources/white-paper/privilege-benchmarking-study-2016/.
BeyondTrust is a global information security software company that helps
organizations prevent cyber attacks and unauthorized data access due to
privilege abuse. Our solutions give you the visibility to confidently
reduce risks and the control to take proactive, informed action against
data breach threats. And because threats can come from anywhere, we
built a platform
that unifies the most effective technologies for addressing both
internal and external risk: Privileged
Access Management and Vulnerability
Management. Our solutions grow with your needs, making sure you
maintain control no matter where your company goes. BeyondTrust’s
security solutions are trusted by over 4,000 customers worldwide,
including half of the Fortune 100. To learn more about BeyondTrust,
please visit www.beyondtrust.com.
Mike Bradshaw, 801-373-7888
Marketing for BeyondTrust