A new survey from Courion has found that a third of enterprises have some level of confusion around the level of IT risk they face.
The survey of 1,250 IT decision makers in large enterprises found that 33% of respondents do not believe their organizations have an accurate assessment of the level of IT risk they face from internal and external threats. According to the survey, 23% of companies do not have a formal IT risk management program in place. Having an accurate understanding of risks is the first step in developing a proactive security policy; without this ongoing assessment of risk, how can protections be put in place?
The survey also looked at how companies manage user access, a particular risk associated with data security. More than 90% of respondents said that identification of user access is a core component of their IT risk management strategy, yet 60% said they only review individual user access or entitlements once per year or less frequently, and 45% said they do not certify user access to high-risk applications on a regular basis. Given the churn of employees, as well as changing data access requirements, this infrequent review of user access is insufficient to manage user rights safely.
The survey probed into the area of user rights and found that nearly half of all companies gave users more rights than were necessary for their roles. 39% of respondents say they have identified instances of inappropriate access by privileged users within their organizations.
For more on user access, here are some of our past posts on this topic: