One-third of IT Administrators Do Not Have an Accurate Picture of IT Risk Facing Their Organizations
Courion survey finds enterprises have a poor understanding of IT risk and who has access to critical applications and data
WESTBOROUGH, Mass. — April 12, 2011 — Courion® Corporation, leaders in access governance, compliance, and provisioning announces the findings of a wide-ranging survey designed to unearth the level of understanding enterprises have regarding IT risk management and user access.
The global survey of nearly 1,250 IT decision makers at large enterprises – 72% of which have more than 1,000 employees – found that one third (33%) of respondents do not believe their organizations have an accurate assessment of the level of IT risk they face from internal and external threats. This lack of confidence in risk assessment is warranted for two reasons. First, nearly one in four companies (23%) indicated that they do not have a formal IT risk management program in place. Second, a large percentage of businesses do not routinely review user access rights to data.
More than 90% of respondents said that identification of user access is a core component of their IT risk management strategy, yet 60% said they only review individual user access or entitlements once per year or less frequently, and 45% said they do not certify user access to high-risk applications on a regular basis. All of this creates serious data breach risks from excessive user rights, access creep (an accumulation of access credentials as an employee transitions through different positions within a company), and inappropriate access by privileged users within the organization.
Not surprisingly, organizations are discovering some alarming facts when they conduct user access reviews:
- Nearly half (48%) of all companies have discovered excessive user rights within their systems.
- 39% of respondents say they have identified instances of inappropriate access by privileged users within their organizations.
- 56% say they found cases in which access was still active for a user’s prior role.
"The results of this survey indicate that there is still widespread misunderstanding of the impact user access reviews have on enterprise IT risk," said Kurt Johnson, vice president of strategy and corporate development for Courion. "No company wants to suffer the brand damage and liability caused by data breaches. The first step in preventing this is to establish a risk management strategy, and make user access reviews a key part of that process. Too often, an organization’s most highly sensitive data is easily accessible by numerous individuals who do not require access in the first place."
Courion recommends that organizations implement and carefully manage a comprehensive Access Assurance strategy in order to define, assess, enforce and verify that the right users have the right access to the right resources and are doing the right things. Ensuring that employees and contractors have least privilege – the least amount of access needed to perform their duties — is an important step in securing data.
Courion’s award-winning Access Assurance Suite solutions are used by more than 450 organizations and over 12 million users worldwide to quickly and easily solve their most complex identity and access management (password management, provisioning, and role management), risk and compliance challenges. Courion’s business-driven approach results in unparalleled customer success by ensuring users’ access rights and activities are compliant with policy while supporting both security and business objectives. For more information, please visit our website at www.courion.com, our blog at blog.courion.com, or on Twitter at twitter.com/Courion.« Back to Press Room