Nearly two in three cybersecurity professionals in a wide range of industries abuse their privileged access credentials, a new study by machine learning and risk analysis provider Gurucul found.
Gurucul partners with managed security service providers (MSSPs) in the healthcare and federal government markets.
It’s well documented that employees in all manner and size of business take inadvisable security risks. But Gurucul wanted to see how common it is for IT security personnel to also engage in risky behaviors. In a survey of 300 cybersecurity specialists attending the recent RSA Conference, 65 percent said they access documents that have nothing to do with their jobs. And, some 40 percent of respondents who experienced bad performance reviews also admitted to abusing their privileged access. That’s more than double the 19 percent overall rate, Gurucul said.
The end result is a compromised security system, said Kevin Franks, Gurucul marketing director, in a blog post. “What typically happens in most organizations is that too many people end up with too much access to systems and applications that aren’t relevant to their roles,” he said. “That means unauthorized individuals might have access into valuable resources they’re never supposed to see. This increases the possibility of critical information being stolen or leaked. And even if the employee does not intend to abuse his elevated access, it becomes a threat vector in and of itself if a cyber criminal compromises his account.”
The study’s key findings show:
- In finance, 58 percent said they have emailed company documents to their personal accounts.
- In healthcare, 33 percent have abused their privileged access.
- In manufacturing, 78 percent accessed documents unrelated to their jobs.
- In retail, 86 percent have clicked on a link in an email from someone they didn’t know.
- In midsize companies, 62 percent did not alert IT when their job role had changed.
The findings highlight the “problems organizations have with employees behaving outside of the bounds of practical and published security policies,” Gurucul said.
Additional conclusions from the study:
- The human element is often the deciding factor in how data breaches occur.
- Monitoring and deterring risky employee behavior with machine learning based security analytics is the most effective measure in keeping mayhem to a minimum.
- People may not realize their behavior in opening the door to cyber criminals, which is why security analytics technology is so critical to maintaining a secure corporate environment.
“We knew insider privilege abuse was rampant in most enterprises, but these survey results demonstrate that the infosecurity department is not immune to this practice,” said Saryu Nayyar, Gurucul chief executive. “Detecting impermissible access to resources by authorized users, whether it is malicious or not, is virtually impossible with traditional monitoring tools,” she said.