88% of insider threat actions can be attributed to privilege abuse, according to the 2014 Verizon Data Breaches Investigation Report.
User accounts – especially those with special access privileges – are often a target for cyber criminals and employees with malicious intentions.
Another study by Ratheon found that many individuals with the highest level of network access in organisations believe it empowers them to access all of the information available to them. The access granted often goes beyond their roles and responsibilities. In fact, 65% of respondents said that curiosity, rather than duty, drove them to access sensitive data.
Privilege abuse can come about as a result of negligence or a lack of proper information security practices. ‘Privilege creep’ is the gradual increase of access rights to different systems for standard users, and exposes a company to malware, data loss and other damaging consequences.
Most companies suffer from privilege creep among long-term employees, and are often ignorant of this problem. When an employee moves from one role to another, they may continue in their old role for several weeks, or even months. The employee may then end up with more responsibility, more influence — and more access to new systems while retaining access to old ones.
In addition to forgetting to take away old privileges, managers may decide to take a relaxed approach to user logins and passwords to prevent employees from always asking for help to get simple tasks done.
Privilege creep can mean that one individual might have the authority to request, approve and grant an action or transaction.
The use of default user names and passwords, granting wider access than is necessary, and the failure to monitor users can all lead to the abuse of privileged access.
So, how can you avoid privilege creep?
A periodic access audit ensures that employees can only access the information and systems they need.
Alternatively, management may decide to revoke all privileges and then follow a process of determining who needs what, granting access to employees from scratch. Some say it’s better to revoke access and risk an employee objecting to this action, rather than assume the employee needs the access they were granted.
It goes without saying that effective information security requires that user accounts be managed very carefully.
A few golden rules for effective privilege management:
- Provide access to authorised individuals only.
- Grant only minimum access levels for applications, computers and networks.
- Segregate duties for privileged users.
- Use secure log files.
- Apply a privileged user management platform.
Access control and administrative privilege management comprise one of the five pillars of Cyber Essentials, the UK Government-driven certification scheme aimed at creating a heightened state of cyber security among large and small businesses alike. The UK Government now requires organisations tendering for certain contracts to provide evidence of a Cyber Essentials certification.
For as little as £300, IT Governance offers an automated solution to applying for Cyber Essentials certification, via its unique new CyberComply portal.