New Report Reveals Significant Delays Revoking System Access, Impacting Security Risk
Only 34% of organizations report that a typical worker has their system access revoked on the day that they leave, the Identity Defined Security Alliance finds
DENVER, February 4, 2021 — The Identity Defined Security Alliance (IDSA), a nonprofit that
provides vendor-neutral resources to help organizations reduce the risk of a breach by combining identity and security strategies, today released a study on Identity and Access Management which uncovers significant delays in granting and revoking access to corporate systems, impacting operations and introducing risk to the organization.
According to the study, for the majority of companies (72%) it takes one week or longer for a typical worker to obtain access to required systems. Conversely, it takes half of organizations three days or longer to revoke system access after a worker leaves, creating regulatory compliance issues and the risk of data theft. To make matters worse, for the majority of organizations (83%), remote work and other Covid-19 related factors have made managing access to corporate systems more difficult.
The report, “Identity and Access Management: The Stakeholder Perspective,” is based on an online survey of access stakeholders, human resources, sales managers, and IT help desk professionals, who are impacted by IAM processes and technologies and who interact directly with workers (employee, contractor and vendors) to set up, remove, and resolve access problems.
Despite agreement from access stakeholders that they have responsibility for security, most (62%) report that they would be hesitant to take action and cut worker access in the face of concerning behavior. Only two in five (38%) reported that they would immediately cut off access for a worker who was accessing systems or data inappropriately, leaving the door open for risk due to an insider threat or compromised credentials.
In addition, seven in 10 (69%) access stakeholders themselves confess to having personally engaged in sloppy system identity behavior, including using the same username and password for both work and personal accounts, using an unauthorized device for work, or sharing credentials with non-workers. Two-thirds (68%) agreed that even though they care about security, it is more important to get their job done.
Two in five access stakeholders (39%) agreed that system access at their company is “messy” and most (83%) believe that system access can be better. Automation may be one key to improving system access challenges. Less than a quarter (23%) report that they automate enabling access to required corporate systems, while only a third (35%) report automation of revoking access when workers leave.
“These numbers are alarming from a security risk perspective. Failing to revoke system access immediately after a worker leaves an organization and when suspicious access is detected present significant risk,” said Julie Smith, executive director of the IDSA. “The good news for enterprises is that the risks highlighted in the study can be mitigated through enlisting the help of stakeholders, who also want to be a part of the solution, through governance process, automation, and identity-centric security strategies.”
Identity Defined Security Alliance Guidance and Resources
The IDSA has defined best practices and identity defined security outcomes that can help organizations address the access challenges highlighted in the research, improving business operations and reducing risk. For IDSA guidance on the specific access challenges raised in the report, visit https://www.idsalliance.org/blog/2021/02/04/new-research-provides-iam-stakeholder-perspective-on-access-challenges/.
The full IDSA library of identity defined security outcomes and approaches, can be accessed here https://securityoutcomes.idsalliance.org/.
To register for the webinar, “IAM Stakeholder Perspective on Access Challenges, Business Operations and Risk,” on March 11, 2021, featuring Diane Hagglund of Dimensional Research and Den Jones, Cisco Director of Enterprise Security, visit
To download the full report, visit https://www.idsalliance.org/identity-and-access-management-the-stakeholder-perspective.
Survey Methodology
Dimensional Research conducted an independent online survey of HR, Sales, and Help Desk professionals in the United States. A total of 313 qualified professionals completed the survey. All participants worked at a company with at least 1,000 employees where a typical employee required access to multiple systems. Survey participants all had direct responsibility for adding or removing access to corporate systems.
About Dimensional Research
Dimensional Research® provides practical market research to help technology companies make their customers more successful. Our researchers are experts in the people, processes, and technology of corporate IT. We understand how technology organizations operate to meet the needs of their business stakeholders. We partner with our clients to deliver actionable information that reduces risks, increases customer satisfaction, and grows the business. For more information, visit dimensionalresearch.com.
About the Identity Defined Security Alliance
The IDSA is a group of identity and security vendors, solution providers and practitioners that acts as an independent source of thought leadership, expertise and practical guidance on identity centric approaches to security for technology professionals. The IDSA is a nonprofit that facilitates community collaboration to help organizations reduce risk by providing education, best practices, and resources.