This year’s report found that external threats are not the main concern for IT professionals, but rather breaches that are linked to vulnerabilities caused by staff or third-party vendors operating within an organisation’s own network. In fact, 50% of organisations claimed to have suffered a serious information security breach or expect to do so in the next six months, due to third-party and insider threats – up from 42% in 2017. Additionally, 66% of organisations claimed that they could have experienced a breach due to third-party access in the last 12 months, and 62% due to insider credentials.
However, a large part of this risk sits with the organisations themselves, as the report found that 73% rely on third-party vendors too heavily, and 72% have cultures that are too trusting of partners. In an age where data breaches have immense financial and reputational implications for businesses, these organisations have far too much faith towards those that operate within their network.
The report also found that problematic employee behaviour continues to be a challenge for a majority of organisations. Writing down passwords, for example, was cited as a problem by 65% of organisations, an increase of 10% over 2017. Colleagues telling each other passwords was also a big problem for 54% of organisations in 2018, rising from 46% in 2017. This rise may indicate that poor password hygiene continues to be a growing issue, or it may be that organisations are more aware of these behaviours due to an increased focus on data protection and privacy. Either way, the numbers indicate that securing credentials and passwords continues to be an issue for security and IT professionals.
“IT administrators and third-party vendors need privileged access to be able to do their jobs effectively, but the number of privileged users is growing exponentially, and access to systems and data is often being granted in an uncontrolled way,” commented Matt Dircks, CEO of Bomgar. “In the face of growing threats, together with the introduction of the EU GDPR, there has never been a greater need to implement organisation-wide strategies and solutions to manage and control privileged access.”
The report did show that some organisations are managing these risks with a privileged identity and access management (PAM) solution. From the research, these same organisations experience less severe security breaches and have better visibility and control than those who use manual solutions or no solution at all. In fact, less than half (44%) of organisations using PAM experienced a serious breach or expect to in the next 6 months, compared to 69% of those without control of their privileged users.
“As the vendor ecosystem grows, and employees are granted more trust, organisations need to accept that the way to mitigate risks is by managing privileged accounts through technology and automated processes that not only save time, but also provide visibility across the network,” Dircks added. “By implementing cybersecurity policies and solutions that also speed business performance, versus putting roadblocks in users’ way, organisations can begin to seriously tackle the privileged access problem.”