As much as 30 per cent of organisations in Singapore rely on antiquated processes to manage privileged accounts, with six in ten businesses allowing third-party partners, contractors or vendors to access such accounts.
That's according to One Identity findings, which also uncovered a widespread inability to implement basic best practices across identity and access management (IAM) and privileged access management (PAM) security disciplines.
The result is a significantly higher exposure to data breaches and security risks.
"Our research revealed a number of shocking findings including extensive sharing of privileged passwords internally and externally, failure to immediately deprovision old user accounts, and spending upwards of 30 minutes to reset a password,” said Serkan Cetin, regional manager, technology and strategy of Asia Pacific and Japan at One Identity.
"These poor practices are incredibly real and concerning risks to any organisation, so it is no surprise that there is a general lack of confidence in the effectiveness of IAM and PAM programs.
"These results are especially alarming in light of the series of breaches that have rocked Singapore and the region this year, such as the SingHealth breach that affected more than 1.5 million Singaporeans, which included Prime Minister Lee Hsien Loong as well."
The study was conducted by Dimensional Research, as part of One Identity’s “assessment of identity and access management in 2018” study, which polled more than 1,000 IT security professionals globally from mid-size to large enterprises on their approaches, challenges, biggest fears and technology deployments related to IAM and PAM.
"The fact of the matter is that organisations that fail to address these basic IAM and PAM best practices may not only expose themselves to significant security risks but also drive business productivity down,” said Cetin.
"This research should serve as a wake-up call to organisations to seek out ways to ensure, manage, and secure appropriate access across the entire organisation and user population – end users, third parties and administrators."
Overall, these findings paint a bleak picture of how many organisations approach IAM and PAM programs, indicating that critical sensitive systems and data are not properly protected, user productivity is hindered, and potential threats from mismanaged access remain a major challenge.
Furthermore, while 30 per cent of businesses are using manual administrative account management methods, six per cent of organisations do not manage administrative accounts at all.
A further 59 per cent of organisations grant privileged account access to third-party partners, contractors or vendors; and 76 per cent admit IT security professionals share privileged passwords with their peers at least sometimes, with one in five admitting this is usually or always the case.
These results are indicative of significant gaps in PAM programs across the board, and IT security professionals seem to be aware of their shortcomings, with only six per cent of IT security stakeholders completely confident in their PAM programs.
Local vs. global
Compared to their global counterparts (22 per cent) IT security professionals in Singapore are more likely to say they are not confident (25 per cent) in their PAM programs.
When it comes to organisations behaviour around basic access tasks and responsibilities the results are not good, with 62 per cent of users’ password resets taking five minutes or longer to unlock, with more than one in ten (12 per cent) admitting the task takes more than 30 minutes, implying widespread hindrance to employee productivity.
In the case of new user provisioning, 41 per cent of organisations take from several days to multiple weeks to provide access across all applications and systems needed.
Furthermore, nearly a quarter (22 per cent) of IT organisations surveyed taking somewhere between several days to multiple weeks to deprovision former users from all of the applications and systems they were granted access to.
While the majority of respondents rate all aspects of their access control program as excellent or fair, only eight per cent are completely confident that they will not be hacked due to an access control issue.
Meanwhile, IT security professionals in Singapore are more likely to say they are not confident (23 per cent) about getting hacked compared to their global counterparts (18 per cent).
According to the survey results one in three IT security professionals cited disgruntled employee sharing sensitive information as their top fear (31 per cent), followed by having their CIO interviewed on TV following an IAM-cause data breach (26 per cent) and usernames and passwords being posted to the dark web (19 per cent).
Moreover, three quarters (75 per cent) of the IT security professionals admitted that it would be easy for them to steal sensitive information if they were to leave their organisation, with four per cent admitting they would steal sensitive information if they were mad or upset enough.
Effective IAM and PAM are critical components to any organisations’ security strategy, but such results show businesses are still struggling to do so.