Privileged accounts have become an important attack vector, and if a recent survey of mostly IT managers and executives is any indication that threat will continue to grow.

According to results of ID management provider Cyber-Ark’s sixth annual global “Trust, Security and Passwords Survey,” just under half of 820 respondents admitted if they were fired tomorrow, they’d walk out with proprietary data such as privileged password lists, company databases, R&D plans and financial reports — even though they know they are not entitled to it.

Given that admission, it’s no surprise 71 percent believe the insider threat is the priority security concern and poses the most significant business risk. As such enterprise executives says they are rethinking their security strategy, especially after last year’s well publicized attacks on RSA and Global Payments and the like, which they believe involved exploited privilege account access.

That said, despite growing awareness of the need to better monitor privileged accounts, only 57 percent say they actively do so. The other 43 percent weren’t sure or knew they didn’t. And of those that monitored, more than half said they could get around the current controls.

“These privileged accounts are often protected by weak or default passwords, which are seldom replaced,” according to a report on survey results released today. “Businesses that are not securing and managing these high-value targets are failing to uphold their responsibility for securing customer and similar sensitive information.”

Other findings include:
–45 percent said they have access to information on a system that is not relevant to their role
–42 percent indicated they or a colleague have used admin passwords to access information that was otherwise confidential
–55 percent believe competitors have received their company’s highly sensitive information or intellectual property – a significant increase from years past

“Privileged accounts are an organization’s most powerful access points and are the keys to unlocking a company’s most valuable asset – its data. With 42 percent of respondents claiming that they, or their colleagues, have used their administrator passwords to access confidential information, the potential for damage is huge if these accounts are not used for legitimate purposes,” the report states.

The survey was taken by IT staff and executives in North America (412) or Europe, Middle East and Asia (408). Results show just a little more than a quarter of all respondents believe current data breach notification laws have done much to curb data losses.

“Whether it’s a malicious insider looking to steal information, or an external attacker seeking to exploit privileged accounts to gain access to the network and sensitive information, it’s clear that privileged access points have emerged as the priority target of enterprise cyber-assaults. This pattern has been demonstrated in some of the most high-profile attacks including Global Payments, Utah Department of Health, and even with the recent Flame virus,” said Udi Mokady, founder and CEO of Newton, Mass.-based Cyber-Ark, in a prepared statement.

Categories: Uncategorized

Comments (9)

  1. Anonymous

    Of course you noticed that the study was done by a firm that has a major interest in getting companies to invest in thier software and services – right?

  2. Anonymous

    Many studies do, which is why the article mentions what the company behind the survey provides.

  3. Anonymous

    I would also point out that the numbers are very vague. If 40% of those asked didn’t know whether or not priveledged accounts are monitored, and only 3% knew they didn’t, then you could say that it is yet another attempt to scare people.

    I’m reminded of a southpark episode where the children are banned from talking to strangers, going to school and finally kicked out of their own homes as the media say ‘the biggest threat to children has been found to be… strangers/teachers/close family

    Another point I would like to make is if anyone was told they were going to be fired tomorrow, and felt that until that point they were good employees, then a feeling of revenge and retribution is going to be a natural response. When it comes down to it I highly doubt of the few percent who do get fired in such a manner that many would a> follow up their threat, b> get anything useful or dangerous.


  4. Anonymous

    “42 percent indicated they or a colleague have used admin passwords to access information that was otherwise confidential”

    And of that 42%, how many were doing so in order to perform the duties required of them by their position?  This article, and the study it’s based on, shows terrible bias.

  5. Daniel

    Well, I’m working as a software developer for a small company. I’m required to walk out with proprietary data every day. I’m not allowed to leave my personal backup drive (we do have other means of backup too) in the office when leaving.

  6. Anonymous

    My experience is that upper level management has a tendancy to expect team leaders, team members and lower level management to make sacrafices. Work overtime or weekends, work during or skip scheduled vacations and all with little or no compensation or recognition. 

    Frequently their reward for that sacrifice is walking papers. Theft is theft but the rationalization is not a huge leap. If companies would stop treating employees badly; and terminating employees who work hard; their employees will not have reason to retaliate


  7. Anonymous

    This has similar credibility as the “shock story” that at least 40% of employee sick days are taken on Friday or Monday (think about it).
    Beat up.
    Now days, pretty much *anyone* can walk out of a company with gigabytes of private and confidential data – see Pvt Bradley Manning’s alleged ‘bring in blank-disks with a label hand written stating it’s a music cd’ – and just about _everyone_ has a USB Flash drive.

  8. Anonymous

    alot of Companies FAIL to realize if you treat your employees with more respect and better pay  you will have less theft.

    treating employees unfairly and making them work shitty hours for shitty pay and fuckin them every chance they get..  it makes it pretty easy to walk away with stuff and secrets guilt free..






  9. Wizard Gynoid

    this report is self-serving and suspect.  i doubt whether IT professionals would damn themselves in this manner.  having been a SYSADMIN and database admin for a major health facility, i can tell you that what matters most is whether the person with access is trustable.  that’s the key. if you value that person and you trust them, then treat them right.  that’s all there is to it really.

Comments are closed.