Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

Top 10 Questions to Ask Before Planning Your Privileged Account Management Strategy

Written by Joseph Carson

August 25th, 2016

The shocking findings from the recent groundbreaking report from Thycotic and Cybersecurity Ventures highlights many companies are not doing enough to protect privileged accounts that are crucial to protecting companies from cyber-attacks. In this blog series we are going to look at some of the key findings so stay tuned.

A major metric was that many companies (80%) consider Privileged Access Management as a high and top priority for their business. This shows that companies acknowledge the importance of privileged accounts and with 60% of companies required to demonstrate compliance either from a government regulation or industry regulation means that failure to protect privileged accounts could result in a failure to meet compliance that could result in a direct business impact.

The main reason why privileged accounts are so critical to both industry and regulatory compliance is that privileged accounts are what is known as the “keys to the kingdom”. Privileged Accounts have full permissions to computer systems and environments which typically have access to the locations where sensitive data like financial records, classified data, or personal identifiable data like email, address, credit card, social security number details are stored. Most organizations do not realize privileged accounts are not just human accounts or job roles, but privileged accounts exist everywhere, including every piece of networking equipment, switch, Internet of Things device. Today organizations are manually managing these accounts and if they aren’t, they’re leaving it as the default setting.

So we know that companies do understand the importance- why have so many companies failed to protect and secure privileged accounts? 

It appears many companies have identified this as a major cyber security risk, but have failed to communicate or implement solutions that help automate and secure these accounts. This then leaves the company completely open the risks associated with poor privileged account management practices. Additional survey findings included, 40% of organizations indicate they have not communicated the importance of following IT security policies to their stakeholders, 60% still rely on manual methods to secure privileged accounts, and a shocking 10% of companies implementing a commercial solution dedicated to protecting and securing privileged accounts.

So while we have acknowledgement and privileged account management as a high priority it appears that one of the major issues is companies don’t know where to start or what solutions exist to help solve one of these major cyber security risks.

Here are some easy steps on how your company can get started on protecting and securing privileged accounts:

  1. Educate key stakeholders about PAM security
  2. Discover how many privileged accounts you have and where your privileged accounts are located

One of the most important steps is to ensure every stakeholder has been clearly communicated to and educated on the risk of privileged accounts.  This clearly is one of the most significant failures and it is important to identity what privileged accounts mean to your company. Ask the following questions to find out:

  1. What is a privileged account?
  2. Where are privileged accounts located?
  3. Who has access to privileged accounts?
  4. Do you have contractors accessing privileged accounts?
  5. When are privileged accounts used?
  6. What is the risk of privileged accounts being used by an external attacker?
  7. What is the risk of privileged accounts being used by an insider?
  8. Do you have a IT Security Policy covering privileged accounts in place?
  9. Are government and industry regulations applicable?
  10. Are you actively reporting on privileged account use and exposure?

Once you have identified how privileged accounts are applicable to your business the next step is to discover privileged accounts that exist on your network.  Sometimes this can be a shocking result as it will highlight the gap in what was known and not known.

Please watch out for the series of blogs on what to do after you have discovered your vulnerable privileged accounts and have educated your key stakeholders on the risks around mismanagement.

Below are some useful tools and resources to help you get started. What is holding you back from getting started with privileged account management?

Take the Benchmark Survey for yourself!

Read the full DR Preparedness Benchmark report:

Discover your privilege accounts:

For Windows:



Like this post?

Get our top blog posts delivered to your inbox once a month.