According to the results of a recent survey of more than 500 IT security professionals worldwide, 20 percent of organizations have never changed their default passwords on privileged accounts, and three in 10 allow accounts and passwords to be shared.
The survey, sponsored by Thycotic and conducted by Cybersecurity Ventures, also found that four in 10 organizations surveyed use the same security for privileged accounts as standard accounts, and 50 percent don't audit privileged account activity.
Although 76.5 percent of respondents consider privileged account management security a high priority and 60 percent say privileged account management security is required to demonstrate compliance with government regulations, 66 percent still rely on manual methods to manage privileged accounts, and just 10 percent have implemented an automated security vendor solution.
"While awareness is high among organization[s] on the importance of securing privileged accounts, according to results found in our survey, many organizations still fall short when it comes to adopting and maintaining best practices in the protection of privileged account credentials," Thycotic president and CEO James Legg said in a statement. "There are some serious gaps in the enforcement of basic security measures when it comes to securing privileged account credentials."
Fully 67 percent of organizations do not require approval for creating new privileged accounts, and three in 10 have not communicated the importance of following IT security policies to their stakeholders.
"Weak privileged account management is a rampant epidemic at large enterprises and governments globally," Cybersecurity Ventures founder and CEO Steve Morgan said in a statement. "Privileged accounts contain the keys to the IT kingdom, and they are a primary target for cybercriminals and hackers-for-hire who are launching increasingly sophisticated cyber attacks on businesses and costing the world's economies trillions of dollars in damages."
A separate survey of 600 U.S. security professionals, commissioned by Telesign and conducted by Lawless Research, found that 69 percent of respondents believe user names and passwords alone no longer provide sufficient security, and 72 percent predict that passwords will be phased out completely by 2025.
Fully 86 percent of respondents say they're extremely or very concerned about authenticating the identity of Web and mobile app users. Nine in 10 companies have experienced fraud in the past year, and 79 percent are concerned about unauthorized access to Web or mobile end user accounts.
"The vast majority of security professionals no longer trust the password to do its job," TeleSign co-founder Ryan Disraeli said in a statement. "Thankfully, most companies aren't resigning themselves or their users to password-only account security. They are implementing two-factor authentication in droves and newer technologies such as behavioral biometrics are emerging to address many of the concerns developers have around adding new tech to their applications."
Ninety-two percent of respondents agree that two-factor authentication significantly increases account security, and 85 percent of companies will be using it within the next 12 months. Nine in 10 respondents say behavioral biometrics would be extremely or very valuable for increasing security, and 54 percent plan to implement it in 2016 or later.
A recent eSecurity Planet article offered advice on securing corporate data in a post-perimeter world.