Employees with the most access to high value information assets continue to be seen as a serious insider risk, according to a recent Ponemon Institute study, and healthcare organizations need to ensure their governance processes decrease the risk of privileged user abuse.
In the study, The 2016 Study on the Insecurity of Privileged Users, sponsored by Forcepoint, Ponemon Institute presents three years of research findings on how privileged users of information technology resources are often the riskiest employees. For the study, researchers surveyed 704 individuals with in-depth knowledge about how their organizations manage privileged users due to their access to their organizations’ IT networks, enterprise systems, applications and information assets. Of the respondents, 9 percent are from healthcare organizations. Privileged users include those in positions such as database administrators, network engineers, IT security practitioners and cloud custodians.
According to the findings of this study, these individuals often use their rights inappropriately and put their organizations’ sensitive information at risk. For example, the majority of respondents say privileged users feel empowered to access all the information they can view and although not necessary will look at an organization’s most confidential information out of curiosity, the study authors wrote.
“While the study reveals companies are taking steps to manage the risk, the perception among those knowledgeable about access rights in their organizations is that the risk is either unchanged or increasing,” the study authors wrote. The study indicated that 91 percent of respondents believe the risk of privileged user abuse will increase or stay the same in the next 12 to 24 months.
And the study authors noted that this finding is almost unchanged from five years ago when 86 percent of respondents were concerned about the threat. “Based on this finding, new solutions and governance processes are needed to decrease the risk of privileged user abuse,” the study authors wrote.
According to 79 percent of respondents, privileged access rights are required to complete their current job assignments. And 21 percent of respondents reported they do not need privileged access to do their jobs but have it, and cited two primary reasons. “First, everyone at his or her level has privileged access even if it is not required to perform a job assignment (43 percent of respondents). Second, the organization failed to revoke these rights when they changed their role and no longer needed access privileges (34 percent of respondents),” the study authors wrote of the survey findings.
The study findings uncovered 12 trends with regard to the risks created by the inability to control unauthorized access by privileged users.
When respondents were asked what factors will change their organizations’ approaches to access governance, 63 percent say it is the increasing number of regulations or industry mandates. However, privileged user abuse is becoming more influential in access governance processes. Thirty-two percent of respondents cited that as a factor in the latest survey compared to 19 percent in 2011.
According to the survey findings, it is becoming increasingly difficult to detect if insider behavior is a threat. “This is because security tools yield more data than can be reviewed in a timely fashion and behavior involved in the incident is consistent with the individual’s role and responsibility. Monitoring and reviewing of log files, SIEM and manual oversight are the primary steps taken to determine if an action taken by an insider is truly a threat,” the study authors wrote.
Forty-two percent of organizations represented in this study are correlating activity from multiple sources such as trouble tickets and badge records to determine risky privileged user behavior. More than half of the respondents, 57 percent, say their organizations do not have the capabilities to effectively monitor privileged user activities. Respondents cited a lack of resources, in-house expertise and technologies as barriers to correlating of trouble tickets and badge records to minimize the privileged user risk.
There is a growing concern about the risk privileged users pose to data security, as increasingly, malicious insiders target privileged users to obtain their access rights, according to the study findings.
In 2011, only 21 percent of respondents said it would be likely that malicious insiders would use social engineering or other measures to obtain someone’s access rights. According to the 2016 survey, this concern has increased significantly, as 46 percent of respondents said it woudl be likely that malicious insiders would target privileged users' access rights. In addition, the study authors noted, more respondents say it is likely that social engineers outside the organization target privileged users to obtain their access rights.
And the study findings indicate that the most common scenarios that create the insider threat have not changed since 2014. Of the respondents, 74 percent say privileged users believe they are empowered to access all the information they can view, 66 percent say privileged users access sensitive or confidential data because of curiosity and 58 percent say the organization assigns privileged access rights that go beyond the individual’s role or responsibility.
Malicious insider threats are not the only risk when regard to employee misuse of data security. As reported by Healthcare Informatics, recent study by professors and research scientists from Dartmouth College, the University of Pennsylvania and the University of Southern California found that medical workers, nurses and physicians frequently workaround cyber security controls in healthcare settings, which leaves healthcare organizations vulnerable to cyberattacks and data breaches. According to those study findings, clinicians are doing so because information security systems often were developed without sufficiently considering clinical workflow and health IT usability.
“The problem,” the researchers in the Dartmouth College study wrote, “is the workers who build, use and maintain the systems—often chief information or technology officers (CIOs/CTOs), chief medical informatics officers (CMIOs), sometimes cybersecurity experts, and often just IT personnel—did not sufficiently consider the actual clinical workflow.”
According to the recent Ponemon Institute study, companies are increasing their deployment of processes for granting privileged user access, the study found. The use of commercial off-the-shelf automated solutions increased from 35 percent of respondents in 2011 to 60 percent in 2016. Since 2011, the use of manual processes such as by phone or email increased from 22 percent to 36 percent of respondents.
And, the study findings indicate that companies still struggle to keep pace with the number of access change requests that come in on a regular basis with an increase from 53 percent in 2011 to 61 percent in 2016.
Among the respondents, information security is rarely responsible for insider threat programs. Instead, information technology and lines of business are most accountable for the reduction of insider threats.
As far as solutions to mitigate risk, companies are increasingly relying on background checks, with 63 percent of respondents saying their organizations perform thorough background checks before issuance of privileged credentials and 60 percent conduct regular privileged user training programs.
Thirty-seven percent of respondents say their organizations use identity and access control technologies to detect the sharing of system administration access rights or root level access rights by privileged users. This is an increase from 20 percent in 2011 and 33 percent in 2014.
According to respondents, a lack of visibility continues to hinder the ability to determine if users are complying with policies. “The study findings reveal that 39 percent of respondents are not confident that they have the enterprise-wide visibility for privileged user access and can determine if users are compliant with policies. Only 18 percent are very confident that they have this visibility,” the study authors wrote.
The study also examined how companies are allocating resources to reduce insider threat. “Forty-four percent of respondents say they have a budget specifically allocated for investment in enabling technologies to reduce the insider threat but a similar percentage (41 percent) say their organizations do not have one. An average of 10 percent of the overall IT budget is allocated to insider threat technology investments,” the study authors wrote.
The study authors concluded that organizations need to consider solutions and governance processes that will decrease the risk of privileged user abuse.