Anyone who has worked in (or even adjacent to) identity management long enough knows that system access is a problem. Onboarding employees takes too long, revoking access takes too long, and governance is usually a pipe dream.
It can be hard to quantify and communicate the impact of these issues to stakeholders throughout the organization. Access is often treated as an “IT problem.” Other business units view access as out of sight and out of mind and pay little attention to whatever rules have been put in place.
However, a recent report from the Identity Define Security Alliance (IDSA) underscores just how bad the system access problem is for today’s enterprises – and why this bad behavior poses significant security risks.
Lax Approaches to System Access Shocking But Not Surprising
IDSA surveyed HR professionals, sales managers, and help desk staff at companies with more than 1,000 employees about system access habits at their organizations. The survey targeted these professionals because of their direct responsibility for adding or removing access to corporate systems.
The major findings of the survey were shocking but not surprising. Let’s take a closer look.
Onboarding delays. For 72% of respondents, it takes a week for the typical worker to get access to the systems they need for their everyday work. For 21% of respondents, it can take a month or more. This is worrisome, but it’s more of a preventable productivity problem than an outright security risk.
Revoking delays. This is where it gets bad. Only one-third of respondents work for organization that revoke an employee’s system access they day they leave. Half said it takes at least three days, and 28% said it takes more than a week. When it comes to situations where an employee shows signs of suspicious behavior, 62% of respondents said they would be hesitant to cut off access for that employee.
Oh, it gets worse. More than half of sales managers said workers have taken information such as contracts, contacts, or internal collateral when they’ve left. More than 20% of respondents admitted to accessing applications from previous employers as well as taking sensitive information from those employers. In other words: Managers know that employees are likely to access information they shouldn’t, because one in five of them have done so themselves, but they’re still unwilling to revoke access as soon as possible, whether someone has been terminated or is acting suspicious. Yikes.
Actions don’t match words. Eight in ten respondents said security is a shared responsibility – something that everyone in the organization must prioritize. But when push comes to shove, security isn’t in fact a priority. Neatly 70% of respondents admitted to questionable security behavior – not just taking info from previous employers but using the same username/password combinations for work and personal accounts, writing passwords on notes taped to a monitor, and sharing log-in credentials with people outside the company. A similar percentage (68%) said getting the job done is more important than being secure. Is that what executive leadership wants to hear?
System access is a mess. For most companies, the system access process is not really a process at all. At 78% of companies, more than one department defines system access. This in and of itself isn’t a problem, but only 45% of companies grant standard access based on job title or role. Together, these points suggest that access is defined in an ad hoc way. This only leads to conflicts, delays, and the inevitable over-provisioning of access to avoid conflicts and delays – which increases exposure to cyber threats as well as bad behavior.
All in all, 40% of respondents characterize ownership of system access as “messy and all over the place,” and 83% said access request processes could be improved. One key example: Less than on in four companies in the survey automate system access enablement, and only about one-third automate revoking system access.
It’s Time to Take a Long, Hard Look at System Access
The results of the IDSA survey paint a sobering picture for the state of system access. Enterprises clearly don’t recognize the risks posed by lax policies coupled with bad behavior.
While it’s true that employees shoulder some blame for ignoring basic security best practices, enterprises need to take a long, hard look at why employees act this way. Is system access something that’s discussed on an employee’s first day but never mentioned again? Are policies too restrictive – or too loose? Does each department treat access differently?
Enterprises can address these challenges by creating a culture of governance where the easy way to do something is the right way. Automating processes such as role- or title-based onboarding, access request and review, and workflow management removes complexity, conflict, and delay. Employees spend less time waiting for access and more time getting work done – and when employees leave, enterprise can revoke access across the board in no time, closing a clear security gap.
If the IDSA survey results have you questioning whether your enterprise could do a better job with system access, get in touch. Clear Skye is all about giving enterprises #ABetterWaytoIGA™.