It seems incredible, but people in organizations still use weak passwords like “12345,” bearing in mind the security threat in today’s digital ecosystem. This is one of the data points the 2017 edition of the annual BeyondTrust research report revealed. In an infographic and report titled, “The Five Deadly Sins of Privileged Access Management (PAM),” the company identifies five behaviors that can compromise the security of your company, whether it is small or large.
BeyondTrust carried out the global survey in 12 countries with close to 500 IT professionals, beginning in May and ending in June of 2017. Industries in tech, finance, healthcare, communications, and others took part.
The five deadly sins the report identified as being a problem were: Apathy, Greed, Pride, Ignorance, and Envy. While these behaviors in and of themselves will not compromise the security of your small business, the actions they lead to will.
What is Privileged Access Management?
A PAM solution will help your small business consolidate the identities of your team with a cross-platform access and control of shared accounts. When the right solution is implemented, it reduces the security risk by minimizing the attack surface, with the eventual goal of eliminating security breaches.
With PAM, privileged sessions of administrative access to critical systems, or anyone with access for that matter, can be monitored and audited.
Privileged Access Management Risks: The Five Deadly Sins
Using “12345” as a password is attributed to the first sin, Apathy. In listing their top threats, the respondents in the survey said employees sharing passwords with colleagues, not changing default passwords shipped with devices, and the aforementioned weak password came in at 78, 76, and 75 percent respectively.
Second was Greed. As applied in this report, it was used to highlight the need for some individuals to have full administrative privileges over their devices. Eighty percent of the respondent said allowing users to run as administrators as their biggest threat.
Pride was third, and one in five of the respondents indicated attacks combining privileged access with exploitation of an unpatched vulnerability are common. By simply patching vulnerabilities, most attack vectors can be defended. Admitting a vulnerability hasn’t been patched or one is not aware of an existing patch can prevent the unfortunate outcome.
Number four, Ignorance, goes hand-in-hand with Pride. Twenty nine percent said Sudo, a popular option for delegating users for Unix/Linux servers, was suitable. This, despite the fact Sudo’s shortcomings as a successful deterrent against cyberattacks on Linux platforms is well documented.
The 32, 31, and 29 percent of the IT specialists said Sudo was time consuming, complex and delivered poor vision control respectively. However, the typical respondent runs Sudo on 40 workstations and 25 servers.
Envy is the last sin, and it could prove one of the most dangerous. Businesses want to keep up with their competitors without carrying out proper due diligence. While everyone wants to migrate to the cloud, more than a third in the survey are not protecting SaaS applications from privileged access abuse.
What to Do?
Beyond Trust is a global cyber security company specializing to proactively get rid of data breaches from insider privilege abuse and external hacking attacks. The company recommends organizations to:
- Deploy organizational-wide password management,
- Remove local admin rights from ALL Windows and Mac end users at once,
- Prioritize and patch vulnerabilities,
- Replace Sudo for complete protection of Unix/Linux servers,
- Unify privileged access management — on premises, in the cloud — into a single console for management.
Small Business Security
Forty-three percent of cyber-attacks target small business. So if you think you are safe because you are a small business, you are not. You have to be vigilant, take the recommendations of security experts and train your staff with security best practices and strict governance.
Typing on Laptop Photo via Shutterstock
More in: Cybersecurity