Traditionally, privileged accounts are IT-based and have special active directory (AD) attributes. IT administrators use them to log into servers, switches, routers, and applications and perform tasks without restriction.
Legacy security systems focus on protecting these AD privileged accounts, and with good reason: Once obtained by hackers, the accounts can be used to access the most sensitive data, lock out legitimate users, and create ghost accounts and back doors that are not easily seen.
However, there are also many business systems that offer access to monetizable data, such as protected health information (PHI), credit card numbers, reputation information, and social security numbers, that fall outside of the standard definition of “privileged.”
In this two part blog series, we’ll examine six business systems that often aren’t treated with the same level of concern or security as privileged accounts, even though they provide access to highly sensitive and valuable information.
1) Email, Your New Online Storage
If you were to scan all employee emails, what would you find? Most likely, you’d discover valuable information that you don’t want to get outside your organization. Many companies, including those who regularly send and receive highly sensitive and confidential information, lack proper email security.
For example, the Panamanian law firm Mossack Fonseca hadn’t updated its client login portal and webmail systems in years and failed to encrypt sensitive emails. As a result, hackers exploited these security flaws to expose 4.8 million emails and 6.5 million other confidential client files.
There are numerous ways for hackers to get into your email systems. Versions might be out of date, and patches might not be applied in a timely manner, if at all. And most email systems do not use encryption because of the expense and hassle.
And sometimes email account breaches are the result of human error, as was the case with the Russian hack of Clinton Campaign Chairman John Podesta’s email. Hackers gained access to Podesta’s email account when he supplied his password in response to a phishing email. The disclosure of 20,000 pages of sensitive and embarassing emails by WikiLeaks contributed to Hillary Clinton’s loss to Donald Trump in the 2016 presidential election.
3) CRM and Marketing Automation
Other systems that are often overlooked are customer relationship management (CRM) software and marketing automation systems. Weak passwords can leave your prospect and customer information open to attack and theft.
CRM systems contain extremely valuable data that can include corporate intelligence, financial information, sales data, patient health information, credit card information, banking wiring instructions, and extensive details about a company’s customers. They can also hold regulated, confidential, and proprietary information.
Salesforce, the largest provider of CRM software, warned its users a few years ago about a Dyre malware attack that could compromise their customer data. The Dyre attack was preceded by an attack on Salesforce users with Zeus malware, widely used by criminals to steal financial data from banks and their customers.
And it’s not just cybercriminals who pose a threat to your CRM data. Departing employees often take customer data with them to their next employer. In 150 data theft cases that were studied, 60 percent of internal perpetrators stole proprietary information in order to get hired by a competitor and 30 percent used the information to start a business.
3) Help Desk Systems / Ticket Management
Help desk systems are a gray area when it comes to privileged account management, because they blur the line between IT and business systems. They are often not protected as robustly as they should be and can become vulnerable to phishing attacks, weak passwords, and a lack of deprovisioning when an employee leaves.
In fact, close to 70 percent of companies fail to monitor their help desk employees, and one-fifth of employees fail phishing tests.
Oftentimes, help desk and ticket management systems are run by entry-level employees who aren’t well-trained in security. Yet, help desk employees handle sensitive data every day and have remote access to sensitive systems.
Expanding Your Organization’s Definition of Privileged
And there you have it, the first three business systems. To avoid a costly and potentially devastating data breach, your organization must expand its definition of “privileged” to encompass the accounts that access these systems as well.
Stay tuned for part two where we’ll cover three more systems that are often overlooked when it comes to taking proper security measures.
And to learn more about how to protect these critical business systems, download our ebook: Why Your Organization Should Treat Every Account as Privileged.