Twenty-five percent of those who provided shared accounts with privileged access to internal staff or external partners (31 percent) admitted to not imposing additional security measures.
The Hong Kong Productivity Council (HKPC) is encouraging local enterprises to enhance their privilege access management to critical IT systems and networks to avoid internal and external security problems.
Wilson Wong, General Manager for IT and Business Process of HKPC, said the reports of large scale cyberattacks against overseas government, banks, retailers, and utilities indicated that gaining privileged access was a key step to blast chain of attacks.
"Besides, ransomware attacks can also find their way through taking control of privileged access. The victimised organisations may suffer from service disruption, data breach, financial loss, damage of reputation or even legal liability," explained Wong in a press release.
The HKPC's Study on Privileged Access Governance in Hong Kong enterprises revealed the failure of some local companies and organisations to make sufficient provisions to manage privileged access to critical IT systems and networks, thus leaving them open for attacks.
The study examined the use of privileged access in the country, which allows internal staff or external partners to freely navigate in an IT system or network and perform critical IT functions. It also looked at related security and management measures. The study is based on interviews of 51 local organisations.
While majority (81 percent) applied audit and management on privileged access to enhance security protection (78 percent) and comply with the requirements, some (18 percent) still encountered security issues such as external attacks or abuses of usage by internal staff.
In addition, a quarter of those who provided shared accounts with privileged access to internal staff or external partners (31 percent) admitted to not imposing additional security measures.
As such, Wong advised companies to improve their measures with regards to privileged access management, especially those that provide shared accounts for staff and give privileged access to IT outsourcing partners or cloud service providers.
Wong added business must consolidate and manage centrally the use identities and access, which must be logged, monitored, and audited. He explained the integration of privileged access management measures with security infrastructure can ensure a comprehensive protection of critical IT systems and networks.1