More than eight in 10 organizations manually review their access permissions, a new study found. But it might be more effective to outsource the automation and management of such services to managed security services providers (MSSPs) and managed service providers (MSPs), Netwrix, a data security specialist, said in its study of nearly 600 IT professionals.
Why Outsource to MSSPs and MSPs?
IT teams generally are not in a position to know exactly who needs what access to which IT resources. By contrast, MSPs and MSSPs come equipped with the right automation tools to ensure regular updates of user rights. Netwrix maintains an extensive partner program that includes resellers, technology partners and MSPs.
While 90% of organizations in the study already periodically review access entitlements or plan to do so within the next three years, some 81% said they do so manually, which can be unreliable and time consuming, according to Joe Dibley, security researcher at Netwrix.
"An email or instant message from some department head confirming access rights usually satisfies neither internal nor external auditors," Dibley said. “Moreover, this approach increases the chance of human error. I's too easy to forget about someone's answer or miss the email altogether."
Risk Reduction and Time Savings
In 41% of organizations, IT teams review user access rights not only manually but on their own, without involving business users at all. However, of those organizations in the study that have a dedicated tool for reviewing user access rights, roughly half said that the biggest benefit of that solution was risk reduction and more than one-quarter said time savings.
"Automating access reviews reduces cybersecurity risks directly, by ensuring a regular update of users' rights, and indirectly as well,” Dibley said. “Eliminating manual tasks frees up IT teams to focus on other critical activities, like investigating security incidents before they turn into breaches," he said.