Insider threat risk growing as 40% can view sensitive data they don’t need
September 2020 by Ponemon Institute and Forcepoint research
New research has found a growing risk of insider threats as many organisations aren’t closely tracking access rights to sensitive data.
More than a third of staff across the UK (and the US) report having access even though it’s not required for their job, with only around 50% saying monitoring is done through background checks or identity management.
The 1000+ respondents to the Ponemon Institute and Forcepoint research said of those with privileged access to their organisations’ IT, only 11% of those in government and 14% in commercial are ‘very confident’ that their organization has enterprise-wide visibility into what users have privileged access, and those who do not.
Privileged access is granted liberally even if not required for current job responsibilities
More than a third of respondents (36% gov; 40% commercial) report having privileged access even though it is not required for their job function. Of these respondents:
More than one-third indicated that everyone at their level has privileged access (38% gov; 36% commercial).
A similar number of respondents needed privileged access in a previous position that was not revoked when their role changed (37% gov; 42% commercial).
Some IT pros indicated that the organization assigned privileged access for no apparent reason (24% gov; 23% commercial).
The sheer number of privileged users can complicate an organization’s ability to manage the risk posed by insiders because:
Privileged users access sensitive or confidential data because of their curiosity (49% gov; 51% commercial).
Privileged users can be pressured to share their access rights with others in the organization (44% gov; 42% commercial).
Privileged users believe they are empowered to access all the information they can view (36% gov; 46% commercial).
Vetting and monitoring of privileged users is inadequate
Only about half of government respondents report that privileged users are vetted through thorough background checks (48%), or that access is monitored through identity and access management (IAM) tools (52%) or provisioning systems (56%). This lack of monitoring points to a need for continuous vetting, which will allow agency leaders to evaluate the behavior and risk profile of privileged users on an ongoing basis – a necessity if government is serious about creating a Trusted Workforce.
In the commercial sector, organizations tend to rely primarily on identity and access management tools (63%), regular privileged user training programs (55%) and by monitoring provisioning systems (49%).
In addition, only 46% of government respondents and 52% of commercial respondents claim that their organization has the capabilities to effectively monitor privileged user activities. Monitoring typically consists of a patchwork of SIEM and/or network intelligence tools, log files, endpoint monitoring and manual oversight.
Privileged user abuse can be difficult to detect with incident-based security tools
Abuse caused by privileged users, such as cyber sabotage or fraud, is not only the most costly to mitigate, it can be very difficult to detect because:
Behavior involved in the incident is consistent with the individual’s role and responsibilities (60% gov; 54% commercial).
Security tools often yield too many false positives (57% gov; 54% commercial) and more data than can be reviewed in a timely fashion (53% gov; 68% commercial).
Security tools don’t provide enough contextual information (42% gov; 38% commercial).
Enterprise-wide visibility into privileged users is virtually non-existent
Only 11% of government respondents and 14% of commercial respondents are very confident that their organization has enterprise-wide visibility into privileged user access due to:
A lack of a unified view or single pane of glass (31% gov; 30% commercial)
Difficulty keeping up with changes within the IT organization such as offboarding and outsourcing (28% gov; 29% commercial).
At the most basic level, agency leaders need a clear understanding of who has access to what systems. However, a more comprehensive understanding of user risk will require enterprise visibility into organizational changes that impact roles, access and whether a privileged user’s behavior is consistent with his current role.
“To effectively understand the risk posed by insiders, it takes more than simply looking at logs and configuration changes,” said Nico Popp, chief product officer at Forcepoint. “Incident-based security tools yield too many false positives; instead IT leaders need to be able to correlate activity from multiple sources such as trouble tickets and badge records, review keystroke archives and video, and leverage UEBA tools. Unfortunately, these are all areas where many organizations fall short.”
About this research
This research was conducted by the Ponemon Institute in March-June of 2020. Only respondents with privileged access to their organizations’ IT networks, enterprise systems, applications and information assets were included in the final sample. The commercial report surveyed 988 respondents in the U.K. (382) and U.S. (606) and the government report surveyed 895 respondents in UK (373) and US (522).