This lack of confidence in risk assessment is warranted for two reasons. First, nearly one in four companies (23%) indicated that they do not have a formal IT risk management program in place. Second, a large percentage of businesses do not routinely review user access rights to data.
More than 90% of respondents said that identification of user access is a core component of their IT risk management strategy, yet 60% said they only review individual user access or entitlements once a year or less frequently, with 45% saying they do not certify user access to high-risk applications on a regular basis.
All of this creates serious data breach risks from excessive user rights, access creep (an accumulation of access credentials as an employee transitions through different positions within a company), and inappropriate access by privileged users within the organization.
Not surprisingly, organisations discover some alarming facts when they conduct user access reviews:
- Nearly half (48%) of companies have discovered excessive user rights within their systems.
- 39% of respondents say they have identified instances of inappropriate access by privileged users within their organizations.
- 56% say they found cases where access was still active for a user’s prior role.