Automated Access Reviews Lacking

July 11, 2022

590 IT pros were asked whether and how they review user access permissions. The survey found that 90% of organizations either already periodically review access entitlements or plan to start doing so within three years.

However, most respondents (81%) admit that they perform access reviews manually.

"Manual review is the most unreliable and time-consuming way of keeping permissions up to date," says Joe Dibley, Security Researcher at Netwrix. "An email or instant message from some department head confirming access rights usually satisfies neither internal nor external auditors. Moreover, this approach increases the chance of human error — it's too easy to forget about someone's answer or miss the email altogether."

In 41% of organizations, IT teams review user access rights not only manually but on their own, without involving business users at all.

"IT teams generally are not in a position to know exactly who needs what access to which IT resources. As a result, the organization not only does fail to properly enforce least privilege, but the helpdesk is overwhelmed by requests from business users and data owners to update access rights," comments Dibley.

The respondents who already have a dedicated tool for reviewing user access rights were then asked what they consider to be the biggest benefit of that solution. 49% of them named risk reduction and 28% chose time-savings.

"Automating access reviews reduces cybersecurity risks directly, by ensuring a regular update of users' rights, and indirectly as well. Eliminating manual tasks frees up IT teams to focus on other critical activities, like investigating security incidents before they turn into breaches," adds Dibley.