The better the question. The better the answer. The better the world works. У вас есть вопрос? У нас есть ответ. Решая сложные задачи бизнеса, мы улучшаем мир. У вас є запитання? У нас є відповідь. Вирішуючи складні завдання бізнесу, ми змінюємо світ на краще. Meilleure la question, meilleure la réponse. Pour un monde meilleur. 問題越好。答案越好。商業世界越美好。 问题越好。答案越好。商业世界越美好。

Why organizations should be concerned about privileged accounts

If privileged account management is the number one cyber security priority, why are financial institutions still using manual processes?

With an alarming series of cyber breaches being perpetrated using compromised privileged credentials, regulators now expect financial institutions to be able to demonstrate the effectiveness of their privileged account management (PAM) controls. But few institutions are currently following PAM best practice.

EY teams are helping the region’s banks, insurers and asset managers to help implement new PAM solutions that streamline compliance, reduce risk and lower the cost of auditing and monitoring.

Why organizations should be concerned about privileged accounts

‘Privileged accounts’ give people full access to and control over your organization’s most valuable and confidential information: customer identities, financial information, strategic information and personal data.

If privileged accounts are not managed with appropriate controls, they can be compromised by external, malicious actors (e.g. a cyber-criminal) or internal actors (e.g. a rogue administrator). Both can lead to destructive damage unless they are spotted and stopped quickly.

Not surprisingly, the passwords, tokens, keys and certificates that come with privileged access are prime targets of cyber criminals. And, unfortunately, these accounts are often protected by weak passwords that can be changed manually and easily shared with colleagues and teams.

Forrester estimates that at least 80% of data breaches have a connection to compromised privileged credentials.1 One of them was the SingHealth breach, which affected more than 1.5 million Singaporeans, including Prime Minister Lee Hsien Loong.

In today’s increasingly complex IT environment, PAM is arguably a financial institution’s most critical cyber security control – more important than standard identity and access management. Businesses that are not securing and managing these high-value targets have an increased risk of insider threat and fraudulent employee activity. Considering the potential magnitude of a breach, for two years in a row, Gartner has nominated PAM as the first security project CISOs should focus on as part of its Top 10 Security Projects.

Who has a privileged account in your institution?

Privileged accounts can be used by a human (DBAs, SysOps, network administrators, ITSecAdmins, helpdesk operators, data center technicians, change managers, release managers, website administrators, bloggers, brand ambassadors, and outsourced teams) or by software applications with high privileges (application accounts, service accounts or accounts embedded in a script or code).

New regulatory focus on privileged access management

In the past five years, financial services regulators have started focusing on privileged access management. Already, the region’s institutions need to be mindful of:

EY - Why organizations should be concerned about privileged accounts

Are you at risk?

  • Do you have visibility of how privileged accounts are managed, created and decommissioned?
  • Do you monitor the actions of privileged accounts?
  • Do your admins have continuous access to privilege accounts?
  • How are you controlling privilege application accounts, service accounts and accounts with “password never expire”?
  • Are people sharing passwords of privileged accounts?
  • Do you have approval mechanisms or expiry set for shared accounts to achieve accountability?

How can you strengthen PAM controls?

Deploying a PAM solution is a highly complex process, which requires appropriate planning, execution and appropriate product. To remain compliant and avoid catastrophic breaches, institutions need to start now.

To manage privileged accounts effectively, you need PAM controls that align within an integrated IAM process and technology framework. The starting point for identifying and moving towards a compliant target state requires:

EY - Why organizations should be concerned about privileged accounts

EY - Why organizations should be concerned about privileged accounts

EY - People

EY - Process

EY - Technology

EY - Governance

What are the benefits of implementing a tailored PAM solution?

EY - Why organizations should be concerned about privileged accounts

Find out how to reduce risk and improve compliance with PAM

As privileged accounts continue to be targeted and compromised, we expect regulators to increase control requirements. PAM is not a short journey. To ease transformation fatigue, it’s best to start early.

EY has been involved in numerous PAM transformations and has a team of dedicated resources based in Asia with hands on, strategy and implementation experience ready to help you.

To find out more, contact EY Financial Services team now.

Contact us

EY - Anthony Robinson

Anthony Robinson

Oceania Cyber Security Leader, Financial Services
+61 2 9248 5975
EY - Wilson Feng

Wilson Feng

China Cyber Security Leader, Financial Services
+86 21 2228 6855
Greater China
EY - Jeremy Pizzala

Jeremy Pizzala

Asia-Pacific Cyber Security Leader, Financial Services
+852 2846 9085
Hong Kong
EY - Simon Chandran

Simon Chandran

Hong Kong Cyber Security Leader, Financial Services
+852 2846 9888
Hong Kong
EY - Sean Gunasekera

Sean Gunasekera

ASEAN Cyber Security Leader, Financial Services
+65 6718 1162

1 The Forrester Wave™: Privileged Identity Management, Q4 2018

Back to Top