There have been a slew of major data breaches in recent years. The number of records exposed in data breaches last year alone reached 174.4 million—close to five times the 36.6 million records exposed in 2016, according to the Identity Theft Resource Center.
Every time you turn around, an organization is in the headlines for having millions of records compromised. You need look no further than the recent Equifax breach in which sensitive information on more than 140 million individuals was stolen. And this trend is expected to continue, with Cybersecurity Ventures’ 2017 Cybercrime Report estimating data breaches and other cybercrime costing the world $6 trillion per year by 2021, up from $3 trillion annually in 2015.
In the vast majority of data breaches, stolen credentials and privileged accounts are the prime target for hackers. In fact, Forrester estimates that 80 percent of security breaches involve privileged accounts.
Traditional privileged accounts are IT-based and have special active directory (AD) attributes. IT administrators use them to log into servers, switches, routers, and applications and perform tasks without restriction. This level of access means they can pose a significant risk to your company. Once obtained by hackers, the accounts can be used to access the most sensitive data, lock out legitimate users, and create ghost accounts and back doors that are not easily seen.
Some examples of traditional IT privileged accounts include:
While legacy security systems focus on protecting traditional AD privileged accounts, the traditional definition of privileged access simply is not adequate for today’s cybersecurity threats.
After all, privileged access has become much broader than just IT administrator accounts. With the move to digital, there are more users, accessing more critical systems and sensitive data. “Privileged” today must encompass any account that can cause reputational damage or that provides access to monetizable data, such as protected health information (PHI), credit card numbers, and social security numbers.
So, what do you do about these accounts that don’t fall under the standard definition, but still have access to confidential and critical data? There are business-privileged roles, such as payroll and social media manager accounts, which are not monitored by traditional AD-based security tools. And there are business systems and applications that require exactly the same protection as any of their high-risk or high-value internal IT systems.
The hard truth is that any unsafe system or individual puts everyone at risk. There are many avenues of access to your systems, and more must be done to protect all accounts, not just traditional privileged accounts.
The recent breach of multinational accounting and tax firm Deloitte demonstrates the risk that poorly secured accounts can pose to an organization. In this case, hackers were able to breach a server and gain access to the private emails of at least five million Deloitte clients. Their entry point was through an administrator’s account that was only protected by a password.
Your organization must adopt a zero-trust mindset, operating under the assumption that all users, endpoints, and resources are untrusted and therefore, always need to be verified in order to reduce the risk of a breach.
If you do not broaden your understanding of privileged access, you are putting your organization at risk. In today’s world, the traditional definition of privileged access is outdated and ignores many critical systems that contain monetizable customer and credit card data. Stay tuned for our two part series where we’ll explore the top business systems that are putting your organization at risk.
And to learn more about how to treat every account as privileged, download the ebook, Why Your Organization Should Treat Every Account as Privileged. This ebook covers how to implement identity-driven security solutions and best practices that will enable your organization to assess the risk level of all accounts and properly protect critical business systems.