Maksim Pasko - Fotolia

Nearly two-thirds of businesses hit by credential abuse

Most businesses admit to breaches relating to abuse of user credentials, according to a report that highlights cyber hygiene failings in the UK and the importance of greater visibility and integration to cyber defence capability

Nearly two-thirds (64%) of business polled worldwide admit they have been hit by a breach linked to abuse of user credentials in the past year, with 62% blaming compromised credentials belonging to third parties.

This is the top finding of the latest global Privileged access threat report by privileged access management firm BeyondTrust, released at Infosecurity Europe 2019 in London.

The report highlights that in the UK, poor security hygiene by employees continues to be a challenge for most organisations.

Employees sending files to personal email accounts, for example, was cited as a problem for 64% of organisations compared with 60% globally, while colleagues telling each other passwords was also an issue for 65% of UK organisations in 2019, which is a significant increase from 49% in 2018.

The report also highlights that more than a third (35%) of UK businesses cite concern over unintended data loss when employees are using unsecured devices, and while 72% of UK organisations agree that they would be more secure if they restricted employee device access, they said this is not usually a realistic or a viable solution and typically has a negative impact on productivity.

“Both internal employees and third-party vendors need privileged access to be able to do their jobs effectively, but need this access granted in a way that doesn’t compromise security or impede productivity,” said Morey Haber, CTO and CISO of BeyondTrust.

“In the face of growing threats, there has never been a greater need to implement organisation-wide strategies and systems to manage and control privileged access in a way that fits the needs of the user.”

Globally, the businesses surveyed reported an average of 182 third-party suppliers logging in to their systems every week. In UK organisations, 46% said they have more than 100 suppliers logging in regularly, underlining the scope of risk exposure.

The UK data shows that businesses still tend to be too trusting, with 83% admitting they trust third-party suppliers accessing their networks, slightly up from last year’s report. However, trust in employee privileged access was cited at 87%, down from 91% a year ago.

In an age where data breaches have immense financial and reputational implications for businesses, BeyondTrust said the findings indicate that UK organisations need to do more to assess the level of trust they place in their third-party suppliers.

With the General Data Protection Regulation (GDPR) going into full effect on 25 May 2018, last year’s report found that compliance was the biggest driver of cyber security strategies for most UK firms.

However a year later, the study found that high-profile security breaches are the leading driver. Almost half (43%) said that high-profile security breaches not related to themselves has a significant effect on the way they are governing employee access, with GDPR compliance coming in third (41%) after unintended data loss from unsecured data devices, cited by 42% as driving their policies on employee network access.

In terms of threats posed by emerging technology, the report found that the risks associated with the internet of things (IoT) is a big concern for the professionals surveyed, with 61% of UK businesses citing that IoT devices pose a threat to security.

Despite this, a majority (80%) are confident they know how many IoT devices are accessing their systems compared with 76% globally, and 81% are confident they know how many individual logins can be attributed to these devices compared with 80% glogally.

At the same time, 41% of security decision makers perceive at least a moderate risk from bring-your-own-device (BYOD) policies compared with 47% globally.

The report shows that some organisations are managing these risks with a privileged identity and access management (PAM) system, with findings of the survey indicating that these organisations experience less severe security breaches and have better visibility and control than those that use manual systems or no system at all.

The majority (90%) of UK organisations with fully integrated PAM tools, as well as 90% globally, said they are confident that they can identify specific threats from employees with privileged access.

“Organisations need to accept that the way to mitigate risks is by managing privileged accounts through integrated technology and automated processes that not only save time, but also provide visibility across the environment,” said Haber. 

“By implementing cyber security policies and systems that also speed business efficiency, versus putting roadblocks in users’ way, organisations can begin to seriously tackle the privileged access problem.”

Read more about privileged access management

Read more on Hackers and cybercrime prevention