As valued members of your organization, IT administrators work every day to keep your systems up and running.
But in a rush to stay ahead of a heavy workload, your IT admins could be taking more shortcuts than you’d expect. And perhaps no aspect of IT suffers more from cutting corners than security.
Here are five facts about cyber security that your IT staff probably don’t want executives and employees to know.
1. Most Passwords Never Change
Sure, compliance regulations may call for frequent password changes on all accounts in your IT infrastructure. And your systems administrators may be tasked to change passwords on a regular basis. But, your organization probably lacks the automation to change what could be thousands of the passwords that matter most.
Sensitive accounts such as administrator logins, embedded application-to-application passwords, and service accounts often keep the same passwords indefinitely because the IT staff may not have the right tools to track and change them. And, because systems and applications often crash when IT personnel attempt to change interdependent credentials, many of your organization’s most privileged logins can remain static for extended periods of time.
Ad-hoc change processes and handwritten scripts might succeed in updating a small number of passwords for some types of privileged accounts. But unless your organization has invested in privileged account management software, you can bet that many of the passwords that grant access to your organization’s most sensitive information are never changed. This means that unrestricted access to this data will continue to spread over time.
2. Too Many Individuals Have Too Much Access
Regardless of your policies, your privileged account passwords are almost certainly known to large numbers of IT staff. And, for the sake of convenience, chances are these logins have even been shared with some individuals outside of IT.
As a result contractors, service providers, programmers, and even end-users are likely able to gain privileged access using credentials that may never change. Unless you have technology to track privileged logins, delegate access, and change these powerful credentials after each use, you’ll never know exactly who has access.
3. Your CEO’s Private Data Isn’t So Private
Despite all the recent headlines about data breaches, you might still be surprised to know how many individuals have access to the files on your executives’ computers. Anyone with knowledge of the right credentials can gain anonymous access to read, copy and alter data.
Often these credentials are known not only to senior IT managers, but also to IT rank and file. It’s likely that your $12-per-hour help desk workers have access to more sensitive data than does your CFO.
4. Security Auditors Can Be Misled
If your IT admins know about security gaps that your auditors haven’t discovered, then they’ll likely try to take that knowledge to their graves. IT staff have limited time to complete higher-visibility projects that influence performance ratings and paychecks. Therefore, in many cases you can forget about them fixing any security holes that your auditors fail to notice.
5. Cyber Security Often Takes a Back Seat
Is your IT administrators’ pay structure tied to security? No? Then they’re probably not as proactive as you might expect when it comes to securing your network. Most IT admins won’t tell you about the security vulnerabilities they discover in the course of their jobs. They’re not paid to fight losing battles to gain the resources necessary to close each security gap.
Bring IT Into Balance by Enforcing Accountability
The security of each organization hinges on how well IT balances convenience with controls and accountability. All too often IT is given free reign to operate under its own rules when it comes to cyber security. As a result, they may resist working under the same types of controls that apply to others in the organization.
Those organizations that work to bring IT into balance – introducing accountability through segregation of duties and auditing controls, while providing resources and incentives to achieve proactive cyber defense – will come out ahead.
Learn more about how you can proactively secure your IT environment. Request a demo of our cyber security platform.
If you like this topic, please subscribe to our Cyber Defense Newsletter.