Lock (2)

With the frequency of damaging cyber-attacks, organisations of all sizes are at risk of not only financial loss, but also blackmail, espionage and the inability to conduct business as usual. Increasingly, executives and boards of directors are being held accountable for their company’s cyber security programmes.

A common denominator in nearly all recent cyber-attacks is the compromise of privileged accounts or credentials. In the hands of external cyber adversaries and rogue insiders, these powerful administrative credentials enable broad and often-undetected access to a corporate network and the most sensitive information held within. They are often described as the “keys to the IT kingdom".

Sharing cyber insight and experience among C-level executives has taken on increased importance. This includes Chief Information Security Officers (CISOs) who are often tasked with developing and managing cyber security strategies, including privileged account security, which is essential to bolstering the security of UK enterprises. Based on insights derived from interviews with a panel of Global 1000 CISOs, we collected essential advice for businesses seeking to balance enabling and restricting user access to sensitive information.

Three strategic decisions

These core decisions will power strategy by addressing security versus business trade-offs. It will help the CISO and security team decide:

  1. What should we do when? Enterprises can have tens of hundreds of thousands of privileged accounts, which can outnumber the employee headcount by three to four times. The key is to prioritise the accounts requiring the most robust protection and to evaluate risks on an ongoing basis. This can be achieved by focusing on the accounts that provide elevated access to the organisation’s most critical systems.
  2. What’s the best mix of controls? Reducing risks around privileged accounts requires a layering of preventive and detective controls. Preventive controls can help stop unauthorised activity, while detective controls can help to discover it when it occurs, either maliciously or by mistake, before any significant damage occurs.
  3. How much is enough? Security staff must work with users to create appropriate controls that will not hinder operations and lead to them being circumvented.
Four pivotal conversations

To gain stakeholder cooperation and build lasting support for change, here are four key conversations the CISO and security teams will need to drive:

  1. Executive buy-in: Providing information on how privileged access controls – or the lack of – played a factor in publicised cyber attacks will provide a useful reminder to executives of the threat facing their business, while proof-of-concepts can help to illustrate the need for better visibility into how and critical systems are being accessed.
  2. Working with business and IT process owners: If a security team works closely with the owners of all critical business and IT processes, they will understand the underlying credential usage and can incorporate that knowledge into the design of controls.
  3. Engaging IT admins and other privileged users: Acknowledging that changes may impact workflows and showing empathy for potential disruption is important, as is ensuring that these perceptions are addressed and challenged. Best practice security should streamline many tasks and make operating with credentials much more efficient.
  4. Asking developers to refactor applications: Applications should be refactored so that credentials are securely managed and accounts with lower-level permission are used. Refactoring is not without its challenges, which the security team will need to work through with developers, determining the right level of privilege for each application.
Five essential components

A sustainable privileged access initiative requires the CISO and security team to focus on five key elements:

  1. Realistic expectations: Rolling-out enhanced privileged access controls can take time and there may be some temporary disruption during the implementation phase. However, organisations can expect to see results in terms of risk reduction almost immediately after deploying improved controls.
  2. The right skillsets: Teams that overhaul their organisation’s privileged access controls must have technical and design expertise, knowledge of security governance and risk, as well as project management and communication skills in order to ensure a seamless integration of the changes.
  3. Metrics: These can be used to test the effectiveness of controls and gauge the effects on efficiency, system availability and application performance.
  4. A plan with milestones: Identify early goals, define phases and keep the momentum going with regular status updates.
  5. The right tools: Understand your strategic goals and formulate an approach first, before finding a tool that will help achieve this.
Addressing the gaps in security programmes to better protect privileged credentials can be achieved with a combination of technical and communication skills, a methodical plan, the appropriate tools and persistence. As it is now widely accepted that the theft of privileged credentials and privilege escalation are key stages in the most advanced cyber-attacks, this must be a top priority for business leadership in 2016.

By Matt Middleton-Leal, regional director, UK & Ireland at CyberArk