Organizations in the United States are impacting their security by dilly-dallying when it comes to granting and revoking system access, according to new research.
A study published today by the Identity Defined Security Alliance (IDSA) uncovered significant delays in giving and rescinding access to corporate systems, impacting operations and increasing potential risk to the organization.
The non-profit’s report, “Identity and Access Management: The Stakeholder Perspective,” found that for the majority of companies (72%) it takes one week or longer for a typical employee to obtain access to required systems.
After a worker leaves, it takes half of organizations three days or longer to revoke the former employee’s system access, creating regulatory compliance issues and prolonging the risk of data theft.
Only 23% said system access enablement is automated, while 35% report revoking system access is automated.
The majority of organizations (83%) reported that the migration to remote work and other Covid-19-related factors have made managing access to corporate systems more difficult.
The report is based on an independent online survey of 313 qualified HR, sales, and help-desk professionals working at companies in the United States with at least 1,000 employees where a typical employee requires access to multiple systems.
All survey participants had direct responsibility for adding or removing access to corporate systems, but 62% said that they would be hesitant to cut worker access in the face of concerning behavior.
Only two in five (38%) reported that they would immediately block access for a worker who was accessing systems or data inappropriately.
Worryingly, 69% of access stakeholders admitted behaving in a risky way, including using the same username and password for both work and personal accounts, using an unauthorized device for work, or sharing credentials with non-workers. For the majority (68%), it was more important to get a job done than to carry it out in a secure way.
“Though the report findings are unsettling, they reflect the realities of today’s complex work-from-home environment and hybrid landscape of cloud and on-premises applications,” Greenlight president Kevin Dunne told Infosecurity Magazine.
“Typically, IT security teams rely on a hodgepodge of point solutions for each application with little visibility across the enterprise landscape. Fortunately, many new advancements have been made in the area of just-in-time provisioning, which can automate much of the access governance process and shave provisioning and deprovisioning time from days down to seconds.”