Study Reveals Privileged Credential Abuse is Involved in 74 Percent of Data Breaches, Yet Over Half of Organizations are Not Taking Basic Steps to Prevent It
Centrify, a leading provider of cloud-ready Zero Trust Privilege to secure modern enterprises, announced results of a new survey revealing that most IT decision makers are not prioritizing Privileged Access Management (PAM) practices and solutions, despite knowing privileged credential abuse is involved in almost three out of every four breaches.
The survey of 1,000 IT decision makers evenly split between the U.S. and U.K. found that, of those whose organizations have experienced a breach, 74 percent acknowledged it involved access to a privileged account. This number closely aligns with Forrester’s estimate that 80 percent of security breaches involve compromised privileged credentials1.
However, despite being aware that they’ve been breached, most companies are still extremely immature in their PAM journey, and are granting too much trust and privilege. More importantly, they are not taking even the simplest measures to reduce risk and secure access to sensitive data and critical infrastructure. For example:
- 52 percent of respondents do not have a password vault
- 65 percent are still sharing root or privileged access to systems and data at least somewhat often
- 63 percent indicate their companies usually take more than one day to shut off privileged access for employees who leave the company
- 21 percent still have not implemented Multi-Factor Authentication (MFA) for privileged administrative access
“Forrester had already estimated that privileged credential abuse was the leading attack vector, but now we have the empirical research to back it up,” said Tim Steinkopf, CEO of Centrify. “What’s alarming is that most organizations aren’t taking the most basic steps to reduce their risk of being breached. It’s not surprising that Forrester has found 66 percent of companies have been breached five or more times2. It’s well past time to secure privileged access with a Zero Trust approach, and many organizations can significantly harden their security posture with low-hanging fruit like a password vault and MFA.”
The survey also revealed that, generally, respondents in the U.K. are behind their U.S. counterparts when it comes to securely managing privileged access. Forty-four percent of U.K. IT decision makers surveyed were not positive what Privileged Access Management is, and 60 percent do not have a password vault. This also affects their confidence in the ability to secure their organizations, as only 36 percent of U.K. respondents are “very confident” in their company’s current IT security software compared to 65 percent of U.S. respondents.
IT practitioners should consider that critical and fundamental security controls such as PAM are enablers for Digital Transformation, which was the top choice listed by respondents when asked which projects they’d prefer to work on. Industry research firm Gartner predicted Privileged Access Management (PAM) to be the second-fastest growing segment for information security and risk management spending worldwide in 20193. PAM was also named a Top 10 security project for 20194.
“Centrify believes that reason for this increased prioritization and spending on PAM is the increasingly-modern threatscape that security professionals are facing,” Steinkopf continued. “Today’s environment is much different than when all privileged access was constrained to systems and resources inside the network. Privileged access now not only covers infrastructure, databases and network devices, but is extended to cloud environments, Big Data, DevOps, containers and more.”
Indeed, the survey found that respondents are not controlling privileged access to these modern use cases, including:
- 45 percent are not securing public and private cloud workloads with privileged access controls
- 58 percent are not securing Big Data projects with privileged access controls
- 68 percent are not securing network devices like hubs, switches and routers with privileged access controls
- 72 percent are not securing containers with privileged access controls
Centrify is redefining legacy approaches to PAM with cloud-ready Zero Trust Privilege. To download a complimentary copy of the survey results, please visit http://bit.ly/CentrifySurvey.
For more information about Centrify Zero Trust Privilege, visit https://www.centrify.com/education/what-is-zero-trust-privilege/
 Forrester, “The Forrester Wave™: Privileged Identity Management, Q4 2018,” November 14, 2018.
2 “Stop The Breach: Reduce The Likelihood Of An Attack Through An IAM Maturity Model,” a commissioned study conducted by Forrester Consulting on behalf of Centrify, February 2017.
3 Gartner, Forecast Analysis: Information Security and Risk Management, Worldwide, 3Q18 Update, Rustam Malik | Deborah Kish | Christian Canales | Ruggero Contu | Sid Deshpande | Elizabeth Kim | Dale Gardner, 12 December 2018.
4 Gartner, Top 10 Security Projects for 2019, Brian Reed | Neil MacDonald | Peter Firstbrook | Sam Olyaei | Prateek Bhajanka, 11 February 2019.
Centrify is redefining the legacy approach to Privileged Access Management by delivering cloud-ready Zero Trust Privilege to secure modern enterprise attack surfaces. Centrify Zero Trust Privilege helps customers grant least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment. By implementing least privilege access, Centrify minimizes the attack surface, improves audit and compliance visibility, and reduces risk, complexity and costs for the modern, hybrid enterprise. Over half of the Fortune 100, the world’s largest financial institutions, intelligence agencies, and critical infrastructure companies, all trust Centrify to stop the leading cause of breaches – privileged credential abuse.