Employment Practices
Risk Management Association

print   email   Share

Protecting Privileged Credentials: An Essential Step In Cybersecurity

Software company Centrify recently released the results of its Privileged Access Management in the Modern Threatscape survey. Centrify surveyed 1,000 IT decision-makers about cybersecurity in their organizations. The survey found that, of the organizations that had experienced a data breach, 74 percent resulted from privileged access credential abuse.

However, many organizations do not have sufficient Privileged Access Management and privileged credential security. Among those surveyed who experienced a breach, only 48 percent now use a password vault and only 21 percent implemented multi-factor authentication (MFA) for privileged administrative access. In addition, 65 percent share root or privileged access to systems and data at least somewhat often.

Advanced areas of IT are the most unprotected, with many organizations failing to use privileged access controls to protect containers (72 percent); network devices like hubs, switches, and routers (68 percent); Big Data projects (58 percent); and public and private cloud workloads (45 percent). The top five cybersecurity priorities for respondents are protecting cloud data, preventing data leakage, analyzing security incidents, improving security education/awareness, and encrypting data.  

Finally, only 35 percent of organizations in the U.S. use Privileged Access Management to manage their partners' access to privileged credentials and infrastructure, according to the survey. Most respondents want to adhere to cybersecurity best practices, but fail to do so because of budget constraints and lack of executive buy-in. Louis Columbus "74% Of Data Breaches Start With Privileged Credential Abuse" forbes.com (Feb. 26, 2019).


According to IBM's 2018 Data Breach Study, an enterprise in the U.S. will lose, on average, nearly eight million dollars recovering from a data breach.

Because weak, stolen, or otherwise compromised privileged credentials cause most data breaches, organizations must take measures to protect these credentials. Password vaults and multi-factor authentication are two easy ways to reduce hackers’ access to your credentials. Create a written cybersecurity policy that prohibits members of your organization from sharing passwords and requires them to use unique, strong passwords for every privileged account.

Organizations must also take steps to prevent internal bad actors from sharing privileged access credentials with cybercriminals. A recent Accenture survey found that 18 percent of healthcare employees would sell confidential data for as little as $500 to $1,000, and 24 percent of employees know a coworker who has sold privileged credentials to someone outside the organization. 

Have all employees who work with sensitive data sign a nondisclosure agreement stating that they will not share or sell sensitive data. Specify that doing so will be grounds for termination as well as legal action, including possible criminal charges.

The Centrify survey found that only 37 percent of organizations can disable privileged access for an employee who leaves the organization within a day. Allowing former employees to continue to have access to their privileged credentials is a major risk area that must be addressed. Work with your IT team to improve your ability to immediately revoke access for employees who quit or are terminated. Have procedures in place to make sure that employees cannot take data with them when they leave. Require employees to turn in their laptops and other organizational devices before exiting the building.

Finally, your opinion is important to us. Please complete the opinion survey:
Enter Passcode to Register

Age Discrimination And Harassment: Risks That Never Grow Old

An analysis of a study of older workers suggests that age discrimination persists. We examine the continuing risk for employers. Read More

Parents' Day At The Office: The Latest Idea In Office Perks Gives Managers Much To Consider

Some employers have found hosting a "bring your parent to the office" day a refreshing employee perk. Read about this novel idea for boosting employee morale. Read More

The Fraud Risks Associated With Equipment Purchases On An Organization's Credit Cards

Preventing employee financial fraud begins with monitoring employee access. Learn how to address the risk. Read More



Seeking Victims of Sex Trafficker

The FBI is seeking additional victims of convicted Seattle-area sex trafficker David Delay, who manipulated women into prostitution through promises of fame, money, and love.

Justice Finally Served

A fugitive from a 1999 Indiana molestation case was apprehended in Oregon in 2016 through facial recognition software and the efforts of an FBI agent who was an Indiana State Police trooper when the crime occurred.

National Missing Children's Day

On this day-and every day-the FBI works to reunite missing children with their families and asks the public for help in locating children who have been reported kidnapped or missing.