Thycotic Study: Companies Stumble With Privileged Account Management

The majority of companies fail to adequately manage and secure privileged account credentials, according to a new study.

A survey from Thycotic and Cybersecurity Ventures shows a wide disparity between how companies prioritize the security of their privileged passwords and how they actually perform the task.

While four in five (80 percent) of respondents said privileged account management (PAM) security is a high priority, more than half (52 percent) received a failing grade for their PAM policies and resources.

“It was really amazing to us how poorly organizations are actually securing their own privileged accounts,” said Steve Kahan, Thycotic vice president.

Kahan pointed to two major reasons. The first is a lack of IT security personnel who have the time to stay on top of privileged accounts.

“There is a major labor shortage to the tune of about 1 million cyber workers now,” he said.{ad}

The second reason has to do with the overwhelming number of privileged accounts that exist in a company. Kahan said there are usually thousands of accounts and virtually zero visibility. Privileged accounts often belong to IT managers or third-party personnel.

“If you ask a chief information security officer (CISO) how many privileged accounts they within their organization, 90 percent-plus really have no idea how many privileged accounts they actually have.”

But Kahan said the lack of visibility and lack of personnel go hand in hand with a surplus of poor practices.

Thirty percent of companies allow accounts and passwords to be shared. One in five left keep their passwords as the default. Another three in five (60 percent) still use manual methods of recording passwords, including Excel spreadsheets.

“[When] you … combine all of those factors, it … gives you some very clear reasons as to why so many organizations are failing with respect to privileged-account security,” Kahan said.

Kahan said he believes the need for PAM will only increase, if not solely from the need for security, then also as a result of regulation.

“We think mandatory compliance to regulations is going to drive a swift change that these poor privileged account security practices cannot continue to exist,” he said. “So we see compliance being a driver for rapid change.”

His recommendation is to start by understanding the security risks involved with unsecured privileged accounts. Then companies should implement more related IT security policies and educate their employees about them. The next step is to locate the existing privileged accounts and attack the risk. From there, Kahan said organizations should look to install actually PAM solutions.