Common-sense security measures are vital to preventing data breaches related to privileged access management, yet many enterprises aren't diligent about enforcing basic practices. A recent study by BeyondTrust, "Five Deadly Sins of Privileged Access Management," reports that in many organizations, users play fast and loose with passwords; users with admin privileges are running amok; unpatched vulnerabilities pose enormous risks; Linux/Unix servers aren't protected; and cloud apps aren't secured. These five "deadly sins" cost the typical enterprise surveyed nearly $4 million annually, as a result of lost productivity, costs to mitigate incidents, and legal or compliance issues. Morey Haber, vice president of technology for BeyondTrust, urged security teams to get control of enterprise credentials by eliminating sharing and getting control over embedded credentials hardcoded in applications and service accounts. "It's imperative to remove local admin rights from all Windows and Mac end users," he added, noting that 94 percent of Microsoft system vulnerabilities in 2016 can be attributed to users with admin rights. "Rather than elevating the entire user on a machine, elevate the user's access to specific applications to perform whatever action is necessary as part of his or her role." The BeyondTrust study is based on a survey of 474 IT professionals from around the world who are involved in privileged access management.
Phishing attacks have escalated sharply in recent years. What was once a nuisance has become a mainstream—and increasingly dangerous—problem. In addition to an increase in the frequency of attacks, phishing methods have become far more sophisticated. From staff members to executives in the C-Suite, employees have been duped into providing log-in data and other credentials that put an organization at risk. Wombat Security's second annual "Beyond the Phish" report, offers some perspective on this issue. "Spear-phishing, business email compromise (BEC), and email-based ransomware are keeping response and remediation teams on their toes," the report notes. "But these are far from the only ways attackers can gain a foothold within an organization or compromise sensitive data and systems." The key to thwarting attacks and minimizing risk? Employee education and training. Wombat examined 70 million responses to its CyberStrength Knowledge Assessments from June 2016 to May 2017. Here are some of the key findings from the research, as well as the firm's 2017 "User Risk Report."