Phone Number +1-202-802-9399 (US)

Thycotic is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

2018 Global State of Privileged Access Management Risk and Compliance: Part 1

Written by Joseph Carson

April 26th, 2018

Most companies are FALLING SHORT on compliance when it comes to privileged accounts!

Thycotic’s research shows Privileged Access Management is a Top Risk and Compliance requirement, yet it’s significantly failing to be fully implemented meaning that most companies fall short on compliance for privileged access.

The majority of organizations begin to implement Privileged Access Management only after a failed audit or major cyber security attack, sometimes costing the organization millions of dollars.

Our 2018 Global State of Privileged Access Management Risk and Compliance Report describes the latest results from our groundbreaking global study.  It reveals major risk and compliance gaps in the way organizations manage and secure their privileged accounts and access to sensitive systems, infrastructure and data.  The report highlights the fact that the risk associated with privileged accounts is extremely high to organizations, yet so many fail to put complete, effective and measurable security controls in place to reduce these risks.  Most organizations acknowledge the important role privileged accounts have but fail to protect and secure them.

Download the 2018 Global State of Privileged Access Management Risk and Compliance Report

Introducing Thycotic’s Privileged Access Management Risk Assessment

Launched in late 2017, the Thycotic Privileged Access Management Risk Assessment has already engaged over 500 global IT security professionals.  The assessment results indicate that a continuous growing awareness exists in Privileged Access Management, with a focus on Risk and Compliance and the significant impact they have on an organizations’ security. But the results also confirm that many organizations fail to mitigate the risk or put effective security controls in place to meet compliance.

Why are they failing? Because getting privileged access right can be a challenge

‘Privileged access’ encompasses access to computers, networks and network devices, software applications, digital documents, and other digital assets that upper management, IT administrators, and service account users have. This type of elevated access allows more rights and permissions than those given to standard business users. Privileged access is the access most often targeted by cyber security threats because this access leads to the most valuable and confidential information, such as customer identities, financial information, and personal data.  Privileged access allows the cyber-criminal to hide their tracks and, in many instances, get away with the crime.  A privileged account can be the difference between a simple perimeter breach and a major cyber catastrophe.

Some of the standards used in the Thycotic Privileged Access Management Risk Assessment

The cyber security professionals at Thycotic created the assessment survey based on the latest security and compliance standards listed below.  The Thycotic Privileged Access Management Risk Assessment is intended to be a general privileged access management risk tool and is therefore based on a combination of these standards.  What is clear is that standards and government regulations globally have raised the importance of privileged access. Almost all standards include strong recommendations for organizations to protect and secure privileged access as it is one of the most effective security measures, preventing many different types of cyber-attacks, from data breaches to malicious malware.

These are the security and compliance standards considered in the assessment:

ISO – ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electro Technical Commission (IEC)

NIST – The National Institute of Standards and Technology (NIST) is a measurement standards laboratory, and a non-regulatory agency of the United States Department of Commerce.

PCI – The Payment Card Industry Data Security Standard (PCI-DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes.

CIS CSC – The Center for Internet Security Critical Security Controls for Effective Cyber Defense is a publication of best practice guidelines for computer security.

EU GDPR – The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

Why Privileged Accounts make an attractive target

A privileged account is an account used by IT Security and Operations administrators to access or log on to laptops, desktops, servers, switches, firewalls, routers, applications, and/or database servers. Privileged accounts are necessary to enable IT staff to manage, configure, troubleshoot, or perform maintenance tasks.

In larger organizations there can be hundreds if not thousands of these accounts—many still with vendor default passwords

In larger organizations there can be hundreds if not thousands of these accounts across the enterprise in any number of locations—many still with vendor default passwords, built-in accounts left enabled and passwords that have not been changed since installation.

Many privileged accounts are machine-to-machine accounts that allow applications to communicate with dependent services or systems to perform their tasks. Almost all of these accounts come with basic or simple default accounts and passwords that when left unmanaged pose a major security risk.

Hackers target Privileged Accounts to gain unfettered access and get away with cyber-crimes

Hackers are targeting privileged account credentials for good reasons. The past year has been busy for cyber criminals, with public reports describing hundreds of data breaches and more than 4.5 billion records exposed in 2016 alone; each year it continues to exceed 3 billion accounts and credentials as it did in 2017. The healthcare, education, retail, technology, financial, and governmental sectors head the list of business areas that were the most targeted.

In the vast majority of breaches, stolen credentials and privileged accounts continue to be the prime target for hackers because they unlock the access required to exploit virtually any part of an organization’s network, including critical and sensitive data. Hacking of privileged credentials can result in a simple perimeter breach, or one that could lead to a cyber catastrophe. Once attackers gain access, they can escalate their privileges and move through networks to identify and compromise confidential information or use ransomware to encrypt critical business data.

By hijacking the privileged credentials of an authorized user an attacker can easily blend in with legitimate traffic and be extremely difficult to detect. This makes it more difficult for organizations to detect a breach in which the average dwell time is more than 200 days. This means most breaches go undetected for many months. In almost all Advanced Persistent Threats and major data breaches, compromised accounts have been the target of many bad actors.

Privileged Account Management Security provides proven protection and is an effective security control

Privilege Account Management security offers mission-critical solutions to protect privileged credentials from unauthorized access and misuse. It helps ensure that if and when perimeter defenses are breached, privileged account controls will act to limit access to sensitive information and curtail an attacker’s ability to circulate unhindered throughout the IT environment.

Privileged Account Management security software provides automated tools to:

  • discover and manage accounts
  • determine who has access and when access occurs
  • audit, grant and revoke access
  • rotate passwords regularly

In the event of a breach, recently used accounts can be quickly randomized to lock down the environment and enable additional security layers to protect privileged accounts.

Here are some results revealed in Thycotic’s report—we were shocked to see these figures and you will be too:




Learn more about our research and the results—download the 2018 Global State of Privileged Access Management Risk and Compliance Report.