Bad Practice by ‘Privileged Users’ is Putting European Data at High Risk

By Prne, Gaea News Network
Wednesday, October 21, 2009

DITTON PARK, England -

- 41% of Respondents who State That They Have Implemented the ISO27001 Standard yet Still Compromise Security at a Basic Level by Sharing Privileged User Accounts

CA (NASDAQ: CA), the world’s leading independent provider of IT management software, today announced the results of a European study conducted with the analyst company Quocirca. The study demonstrates that despite their trusted position privileged users are frequently the weakest link in the corporate security chain, due to poor management, inefficient manual processes and lack of awareness.

The study’s findings indicate a real risk of privileged user accounts being compromised, mirroring the ongoing case of Gary McKinnon, who gained access to the Pentagon’s IT systems.

While many of the 270 medium and large European organisations surveyed claimed to take steps to protect confidential data including highly personal customer information, 41% of supposedly ISO27001* compliant organisations admitted non-compliant practices such as sharing privileged user accounts.

The survey, “Privileged User Management - It’s Time to Take Control”, looks at how privileged user management (PUM) is carried out across Europe. The findings are based on interviews with senior IT managers in 14 countries**.

Across Europe, 24% of organisations rely on forms of manual control for overseeing and controlling the actions of privileged users. Manual control is time-consuming, excessively expensive, unreliable, prone to error and most importantly, un-auditable. In the UK this figure rises to 29%. Despite the availability of privileged user management (PUM) systems, only 26% of European organisations surveyed have actually deployed them in full.

The research reveals that controlling and monitoring the activities of privileged users is not sufficiently high on the agenda of IT managers, despite the huge amount of trust placed in them. Respondents rank PUM below seven other actual security threats to the organisation (scoring 2.54 out of 5 on an index of threat), below malware (2.9), the Internet (2.7), internal users (2.7), and Web 2.0 tools (2.6). Budget availability may be a reason for this prevarication (scoring 3.3 out of 5 on the scale of limiting factors), although 85% state that the budget spent on IT security is either stable or increasing as a proportion over overall IT spending. Ultimately, it is likely that another main reason for holding back is an under appreciation of the risks presented by privileged users.

Out of the 270 organisations questioned, 45 were based in the UK. While 47% of UK organisations have implemented ISO27001, the standard for IT management that explicitly states that “the allocation and use of privileges shall be restricted and controlled”, nearly 30% of respondents had not heard of it. Furthermore, only 44% of UK organisations could confirm administrator accounts were not shared between individual administrators.

“This landmark research provides strong evidence that organisations are overlooking a crucial area of IT security - the privileged access they grant to themselves or their colleagues in order to do their jobs,” says Simon Godfrey, Director, Security Solutions, CA.

“While such access is necessary, it is most commonly managed on an ad hoc basis and, despite claims to pay heed to the requirements of regulators, requirements with regard to privileged users are often overlooked. It is in the best interests of individual IT managers, the IT department, and the overall business to have measures in place to control and monitor privileged users. The deployment of PUM tools enables this and allows organisations to mature their use of PUM over time. Privilege User management is key to compliance, to reducing risk exposure, and to protecting critical business applications.”

Bob Tarzey, Analyst and Director, Quocirca Ltd, comments, “The research reveals clearly that while it is in the interest of individual IT managers, the IT department, and the business itself to adopt measures to control and monitor privileged users, it is not a priority. Manual processes are ineffective and do not provide an audit trail that would satisfy regulators. The one sure means of ensuring watertight privileged user management is through use of purpose build tools to manage privileged user accounts, assignment of privileged user access rights and provide continual monitoring of privileged user activity.”

Country Differences

The research also reveals an interesting variation between the countries participating in the survey.

- The countries most likely to share administrator accounts between individual administrators are France (60%), followed by Belgium (60%), and the Netherlands (53%). The figure stood at 38% in the UK

- By contrast, respondents in France were the most confident about being able to monitor and control privileged user accounts (scoring 4.26 on a scale of 1-5)

- The countries least likely to share administrator accounts between privileged users are Germany (10%), Spain (7%) and Israel (7%)

- 63% of French organisations participating in the survey rely on manual monitoring of privileged user activity, following by Belgium (50%), and Denmark (47%). This fell to 27% across organisations in the UK.

About the study

“Privileged User Management - It’s Time to Take Control” was conducted by Quocirca, a primary research and analysis company specialising in the business impact of ICT. A total of 270 interviews were conducted during June 2009 among IT Directors, Senior IT Security Managers, and other IT Managers in four vertical sectors: telecommunications & media, manufacturing, financial services, and government.

In addition, CA today announced new product releases and integrations that help address security and compliance challenges, including CA Access Control 12.5 which provides technology to support privileged user and password management.

Please visit www.ca.com/us/press/release.aspx?cid=217987 to learn more about today’s news.

To download a copy of the survey report, please visit www.ca.com/gb/mediaresourcecentre

* The ISO27000 series of standards for IT management states that “the allocation and use of privileges shall be restricted and controlled”

**Belgium, Denmark, Germany, Finland, France, Ireland, Israel, Italy, the Netherlands, Norway, Portugal, Spain, Sweden, and the UK.

About CA

CA (NASDAQ: CA) is the world’s leading independent IT management software company. With CA’s Enterprise IT Management (EITM) vision and expertise, organizations can more effectively govern, manage and secure IT to optimize business performance and sustain competitive advantage. For more information, visit www.ca.com.

Quocirca is a leading primary research and analysis company, specialising in the impact emerging and evolving technologies have on businesses of all sizes. Based in the UK, Quocirca’s primary research reach is world-wide, investigating, analysing and reporting on the perception of decision makers and influencers in the end user environment around technologies within their businesses.

Connect with CA

www.ca.com/us/social-media

www.ca.com/us/news/content.aspx?cid=170073

www.ca.com/us/press-releases.aspx

www.ca.com/us/it-management-podcasts.aspx

Trademarks

Copyright (c) 2009 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All other trademarks, trade names, service marks and logos referenced herein belong to their respective companies.

Contact Lisa Stassoulli Principal, CA +44-(0)-7824-607584 Lisa.stassoulli@ca.com Simon Burberry and Brad Jordan +44-20-7680-5500 ca@chameleonpr.com

Source: CA

Contact: Lisa Stassoulli, Principal, CA , +44-(0)-7824-607584, Lisa.stassoulli at ca.com. Simon Burberry and Brad Jordan, +44-20-7680-5500, ca at chameleonpr.com

YOUR VIEW POINT
NAME : (REQUIRED)
MAIL : (REQUIRED)
will not be displayed
WEBSITE : (OPTIONAL)
YOUR
COMMENT :