Mismanagement of passwords costs Millions

Cyber-Ark announced the release of new research into Privileged Passwords - the non-personal, shared and administrative passwords that exist in virtually every device or software application in an enterprise - which shows companies are unknowingly losing millions of dollars annually due to costly outages, labor-intensive work, legal liability and audit deficiencies related to mismanaged privileged passwords. To simply maintain and update privileged passwords, the report estimates the typical enterprise spends more than $500,000 each year.

These trends and statistics are summarized in a white paper by IDC and sponsored by Cyber-Ark entitled “Privileged Password Management: Combating the Insider Threat and Meeting Compliance Regulations for the Enterprise” (Dec 2006, #204906). Alarming facts from the research include the following findings:

- Privileged passwords if unchecked can be an unmitigated security threat for an organization.

- Astronomical costs are associated with the manual updating of privileged passwords. The yearly cost of manually changing privileged passwords average $500,000+ for the typical Fortune 2000 company.

- There is a general lack of strict policies for creating and varying privileged passwords which would aid in the prevention of costly security breaches.

- Further complicating the issue is that many if not most privileged passwords are generic in nature and lack the personalization necessary for tracking and auditing purposes.

- Most organizations have more privileged user passwords than personal passwords.

- Most organizations today use the same password for many systems and devices. This creates a common security hole that can be exploited by external hackers.

Not only do privileged passwords pose a security threat, but maintaining, storing, changing and monitoring privileged passwords and their users is an expensive and daunting task. In particular, there are thousands of privileged passwords at all levels – devices, embedded, laptops, etc. – and the cost of changing them on a routine basis is difficult to do manually in any effective way. IDC estimates that it takes approximately $30 in man hours/labor to change the Sys-admin password on a single Microsoft Exchange Server.

"Our research shows that managing privileged passwords is a security conundrum," said Sally Hudson, research manager for IDC’s Security Services and Identity Management Products program and author of "Privileged Password Management: Combating the Insider Threat and Meeting Compliance Regulations for the Enterprise."

"IDC believes that the risk can be significantly mitigated by implementing policies which demand special treatment for privileged passwords,” added Hudson. “These include the ability to disable an employee’s system access promptly upon employee termination; enforcing a company-wide password change on a regular basis; and implementing reliable auditing and reporting systems. Furthermore, companies such as Cyber-Ark that offer a PPM solution are well-positioned to assist organizations in preventing unwarranted insider attacks.”

In addition, the research white paper reveals that system administrators, high level IT personnel and developers that have access to privileged passwords can create havoc within an organization if left unchecked as these passwords are literally the “keys to the kingdom”. The recent rise in computer-related ID theft and fraud, coupled with legislation demanding compliance for computer privacy and security, is forcing the issue of privileged access into the open and has created a situation where corporations must deal with the issue of privileged password management or face legal penalties.

“This report is groundbreaking as the first comprehensive study of PPM or Privileged Password Management,” said Udi Mokady, President and CEO of Cyber-Ark Software. “The security and compliance risks posed by privileged passwords are very real, are very large, and must be addressed in such a way that privileged password management becomes the cornerstone to every organization’s overall Identity and Access Management strategy.”

The research explores the concept of Privileged Password Management and looks at Cyber-Ark’s Enterprise Password Vault, which is designed to provide a secure, automated and integrated solution to this problem. Privileged passwords are the non-personal passwords that exist in virtually every device or software application in an enterprise, such as administrator on a Windows server, Root on a UNIX server, Cisco Enable on a Cisco device, as well as embedded passwords found in applications and scripts.

IDC’s research supports the findings of a recent Cyber-Ark survey of 140 IT professionals, which found that up to 42 percent of privileged passwords are never updated – a frightening prospect in today's environment of increased audits and hacker attacks. The Cyber-Ark 2006 Privileged Password Survey also revealed that privileged passwords are far more common in enterprises than previously thought: approximately half of all enterprises contain more privileged passwords than individual ones.