How mysterious, over-powerful workers are causing IT security headaches

How mysterious, over-powerful workers are causing IT security headaches

Summary: Too many staff with admin rights are making life hard for IT security teams.

TOPICS: Security, Windows

When it comes to IT security, it's often said the biggest threat is not evil hackers or government spies - but the bad habits of office workers themselves. And it looks like the threat could be getting worse: IT security staff are struggling to keep up because end users have become too powerful and mysterious, according to research.

The findings show the proportion of end users with administrator rights over their devices is increasing, which could potentially undermine IT security. If a user has administrator rights over their PC they can make far more wide-reaching changes to their devices than they would otherwise be able to do with a standard user account.

Hackers and malware will often seek out accounts with admin rights in order to do more damage than they would otherwise be able to do, which is why admin rights are usually limited.

But an average of 31 percent of users have administrator access privileges in the organisations surveyed. According to 42 percent of respondents said this is primarily due to the increase in the use of mobile devices and cloud services. Four out of ten blamed employees demanding more power over their devices.

IT staff also complain that they don't know what users are up to either: 55 percent of respondents admitted they had somewhere between zero and very low visibility of user behaviour such as their software downloads or access to applications and databases. "This signals a major vulnerability that can make defending the endpoint difficult," the report noted.

The study found that protecting PCs and other devices also eats up a lot of time: an average of 48 percent of the organisation’s total time spent on security issues is on issues such as patching, user privileges, application control, firewalls and anti-virus. The Ponemon Institute research, which surveyed 559 tech professionals, was commissioned by privilege management company Avecto.

Related stories

Topics: Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Whose fault is it if you give too many users admin rights?

    Aaaaand whose fault is it if you give too many users admin rights?

    They made their own bed. I don't feel sorry for them.

    And no, it's not the fault of the workers, as your title implies. It's the fault of the IT staff for giving them admin rights to begin with.
    • Too many are afraid to take away admin right

      I always just say I wouldn't be doing my job if I let users run as admins.
    • The IT Staff has masters too

      And those masters say things like 'Why can't Managers X and Y use their computers freely? They aren't COMMON EMPLOYEES, you should trust them!'

      And no amount of 'security arguments' will work once it looks like you are infringing on someones 'rights'.
      luke mayson
      • This

        So much this. If I had it my way users would get their default install and they will need to go through a request process to get anything else installed and all access points (USB, DVD, ect.) in the machine would be locked.

        But politics always interfere.
        • Complete Device Lockdown

          The only problem with a complete device lockdown and a request procedure is.... replacement devices and/or new users.

          New users generally don't know what software/tools they need to do their jobs. The managers don't do these jobs, that's what the new hire is for. So the managers don't know either.

          Replacement devices are really the same thing as a new user. The default install may have been modified over time as new tasks or responsibilities were added. If you think that the user has kept track of all these changes, you're deluded. If you think that the manager has kept track of all these changes, you're smoking something.

          Both of these situations leave the user with a default install and missing software/tools. With nobody having a complete list of what needs to be added. So the user must go thru the request process each time they find that something is missing. And depending on the amount of time it takes to process each request, the user may be unable to perform their all of their tasks for an extended period of time.

          And if you think the user is unhappy with this situation, how do you think the manager feels? Suddenly both of them are experiencing fairly unpleasant conversations about "Why can't you do your job?" And everybody is pointing their fingers are somebody else saying "it's because of this...."

          A complete device lockdown is only appropriate if >>YOU
    • Exactly right.

      IT has gotten so lazy, they think every problem can be solved with either Word, Excel or PowerPoint. Do you need Matlab? Access denied. Visio? Perhaps but wait 6 months and check back? gcc? Use Visual BASIC even if you have 10,000,000 lines of certified 'C' code since IT thinks code is code?

      The problem is IT itself being stuck in a time from 15 years ago and being unwilling to grow.
      • .... wha?

        I am sorry I can't figure out what you are trying to say...
  • Win 7 UAC

    So does Windows 7 UAC address this problem at all? It appears to me that it's like a "user" level *nix account where the user knows an admin password and can sudo. How close is that image to reality?
    • Win7 UAC Doesn't Fix Stupid

      If the user just clicks "yes" without any thought as to why something needs elevated privileges, then UAC is useless. I can't count the number of times people have hosed their own systems in spite of all they warnings they got, because they installed an "innocent" program, changed a setting, etc.

      IT cannot afford the downtime from people hosing their own systems, nor the support need to fix them all.
  • "Too powerful"

    Only IT would think such a thought.
    • Nah, it's an auditor thing

      It's called "least privilege", and it's a driving force in any secure environment. Check it out.
  • It's not always the user's fault...

    Unfortunately there is often too much attitude involved and that can be on either side of the table.

    Because of a single bad apple, too many users forget that most IT folk are honestly concerned with keeping users safe and have the tools they need to do their job. Let's face it, it's not good for job security when you are the one that executive management sees as the reason the company missed a market window or the root cause for a project failing. And because so much of IT's work happens behind the scenes, end users rarely see just how much IT does to keep them running that is under the radar.

    On the flip side, I have also seen far, far too many IT people - even well intentioned ones - fail to respect that end users know how to do their job and the tools they need to do it. If you want to get professional respect, you need to give it, as well. Does a 25 year old kid recently out of trade school with zero background in clinical science and/or R&D have the experience or right to dictate to a respected expert in his field with 30 years *experience* what tool is appropriate for patient data analysis? Not even close. Said expert is most likely to stroll into the CEO's office - or some other C-level exec - and drop a bunker buster on IT.

    Once that happens, it's the beginning of the end for IT being able to do their proper job. Word gets out. Others demand the same. Chaos results. Needlessly.

    Fortunately for everyone, in my personal case, I did not have to make such a call. One day of having to send an IT tech up for repeated install/uninstall/reconfiguration of software, swapping out .DLL's and adding, removing and reconfiguring hardware was all it took for me to be given local admin privileges for my systems.

    Do I still have to fight to get some of the software tools I need? Well, yes, but no worse than I have to for other non-IT tools.

    That's another point for users to keep in mind. Sometimes IT is under executive order to avoid expenses - just like any other support function. It may well not be their fault. Hopefully, you will have developed enough of a relationship that IT will point you in the direction of whom you need to talk.

    That brings up my final point. One for BOTH sides. If you want to be successful with your users... If you want the "IT boys" to go the extra mile for you... It's all about relationships. Build them and guard them jealously. You'll both be happy if you do.
    • beautifully stated!

      Absolutely - one of the IT department's roles is to ensure security, especially when very few have true 'power user' capability.
      Raul, your observations are so right on, for both IT and users! Only 3 or 4 people in my orginization have any idea what I do to keep their equipment optimized so they are able to fulfill their job responsibilities. May I share your eloquent words with my bosses? Have a great day! GLRose
  • Install the software

    I always ask that IT be responsible for all software. It means I purchase everything, and can keep track of the licenses.
    Once that is done, I remove Admin Rights from everyone, so IT is the only one to install software and everyone has to ask for and justify any software they need. 99% of the time I approve the software without even looking at it (depends on the software company), and install it within a couple of days.
    If someone has to ask for software and supply a justification, then they are less likely to ask for software they don't need. But it takes a lot less time to install all the software everyone asks for then cleaning up all the crap from the Internet games they used to download, or the virus ridden POS they download.
    And I also make it remote-install, so the next time someone wants it, it just takes a couple of clicks from me.
    After a while everyone likes the system, as their computers always work; they get almost all the software they ask for; IT has time to do the useful stuff that Users actually notice; and Management sees the company software costs go down.
  • Not sure that I agree

    I wonder how many IT personnel have worked on a PC that has been locked down. It is not a pleasant experience. You might be able to get some work done, but if you can't even arrange the icons on your desktop, then it creates an environment of mistrust and misuse. If you have an employee downloading games, that employee has a bit too much time on their hands and that needs to be a management issue, not an IT issue. I say, it is much better to regulate the people who misuse the PC than it is to lock down everyone because of one person's abuse.
    IT should be there to help people do more, not lock them down to do less.