Privileged users put info at risk … And IT doesn’t know what to do about it


A flurry of recent surveys and studies have found that users may have too much access to data recently. But now comes one that confirms IT is aware of this situation … and seriously concerned by it.

A Ponemon survey sponsored by Forcepoint puts it succinctly: Users’ ability to access data often goes well beyond what they actually need to get their jobs done.

According to The 2016 Study on the Insecurity of Privileged Users, 58% of IT pros believe that organizations assign access to employees that goes beyond their roles and responsibilities.

In addition:

  • 74% of those surveyed said they think privileged users believe they are empowered to access all the information they can view, but
  • 66% also think these same users access information out of curiosity rather than necessity.

Can they be trusted?

Usually, one thinks of privileged users as ones who have earned enough trust to access data. But according to the survey, that’s not always the case with IT. Security pros don’t have the luxury of trusting that users have their best interest at heart.

The problem is, “Trust, but verify” only works if you’re actually able to verify.

IT pros aren’t so sure they do. According to the survey:

  • 62% are somewhat to not confident they have enterprise-wide visibility for user access
  • 61% said their tools for detecting malicious insiders produce too many false positive results
  • 55% aren’t sure they can correlate data from multiple sources, and
  • only 43% said they have the capability to effectively monitor privileged user activity.

And even if they can be trusted, these users are at greater risk of outside attack. Nearly half of those surveyed (48%) said they thought social engineers would target privileged users’ accounts.

What to do

Revoking access isn’t a popular way to control security, but it may be a necessary one. Unless there’s a clear business need for users to have access to sensitive data, the best way to protect that data may be to restrict who can see and edit it.

Of course if you make one mistake and revoke access to something that a user needs, there will be hell to pay.

One strategy could be to sit down with users individually or as a group and ask, “Are you using this resource?” If they say yes, allow them to retain access to it if there’s a clear business case for doing so. If not, revoke the access until they tell you they do need it.

Another strategy: Talk to their department heads. Find out what tools their people need to do their job, then group users by job categories, granting or revoking access to data based on what their bosses think is necessary. That way, if there are any arguments down the line over why they can or can’t access a file, you can say “Your supervisor didn’t think you’d need it. But if you do, and get clearance, I’d be happy to provide you access again.”

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy