Privileged accounts are IT’s dirty little secret

So says Mark Fullbrook, UK and Ireland director of security software specialist Cyber-Ark. And he adds: “It’s the kind of hole that most people would rather not think about, so they push it to the back of their mind. Its IT’s dirty little secret.” He’s talking about the potential abuse of privileged accounts and, in the current financial environment, with companies either downsizing IT staff or asking them to accept pay cuts, it’s more of a risk than ever, he warns. And the risk: privileged accounts are, in the vast majority of cases, generic. All staff uses the same login and password for each system; sometimes many systems – so there is no way of establishing who did what or when. What’s worse: since there are so many of these accounts, many companies no longer bother to change the passwords with any kind of regularity. People change roles, yet still know the passwords to systems to which they should no longer have access. And, says Fullbrook, it’s not only about your trusted team. “What about your developers? How about your third party support staff? How about staff in other teams, or the guy who left last year to go to one of your competitors?” Verizon recently stated that 57% of security breaches it surveyed over a four year period were committed by either an internal user or a business partner who had access to systems. It further said that in the case of insider abuse, more than 50% of breaches involved IT staff. “When I hear of companies that have not outlined a solution or strategy to deal with privileged accounts, I liken it to building a prison with a huge tunnel to the outside. You can spend whatever you want on guards, fences, cameras and locks, but if you don’t guard the tunnel, you may as well not bother,” insists Fullbrook.