News & Views

Privilege creep problem grows

There is a growing concern in data protection about the problem of ‘privilege creep’, a phenomena in which employees gradually accumulate excessive access privileges as they move through a business, even when they no longer need that access to do their job.  We sat down with Adam Strange, Data Classification Specialist at HelpSystems (www.helpsystems.com) to see what he thought of the issue.

“As news in recent days has highlighted, privilege creep is once again proving to be a real enemy of data security.  Forrester reports that lost, stolen, or compromised privileged credentials are involved in over 80% of all enterprise data breaches, making this an increasingly major issue across the entire business landscape.  The 2021 Identity and Access Management Report (
www.coresecurity.com/resources/guides/2021-identity-and-access-management-report) from Cybersecurity Insiders also indicates that 77% of organizations have at least a few users with more access privileges than required, while 54% of organizations are, at best, only somewhat confident in their ability to verify user access privileges.”

“In today’s extended and highly digitalized enterprise, maintaining oversight of everyone who needs privileged access to systems to do their jobs is an increasingly complex proposition.  This challenge is compounded by the fact that over time, users often accumulate more access rights to applications, systems, and resources than required to perform tasks associated with their current role.”

“Often flying under the security radar, these privileges create security blind spots that can potentially lead to devastating breaches.”

“The positive news is that there are practices that can be put in place to mitigate the security blind spots that these privileges can create.  Closing the gap on identity-related access risks means having a solid identity and access management (
www.helpsystems.com/solutions/cybersecurity/identity-access-management) (IAM) program in place that leverages a least privilege approach.  This includes defining and enforcing strong access policies, conducting periodic access reviews, and prioritizing role-based access control.  At the data level, privilege creep can be combated if data and documents are classified in the right way, and as a result, their usage is controlled.”

“In today’s digital economy, providing the right tools to tackle big data protection and over-provisioning issues is paramount to ensuring business success and safeguarding against financial and reputational risk associated with data loss incidents.  Combining best of breed data discovery and data classification technologies with IAM technology and identity solutions provides organizations with the right tools for the job and importantly enhances functionality that strengthens the discovery and classification process.  Once you have found your most sensitive and business critical data, determined the potential risks to its security, prioritized, and classified it, you can make informed decisions about how to protect your data at all stages of the life cycle, cutting costs, mitigating risk, improving efficiencies, and gaining control.”