User access rights and security privileges in the enterprise are out of control. So says security software vendor BeyondTrust, which released a survey this week to demonstrate the extent to which employees can unnecessarily access potentially sensitive data and resources.

Titled, "Privilege Gone Wild," (which, in a different context, might conjure images of trust-fund children engaging in debauchery), the survey revealed several key points that likely will encourage IT admins to think more about how they handle user privileges:

  • 44 percent of employees have access rights that are not necessary to their current role.
  • 80 percent of respondents believe that it's at least somewhat likely that employees access sensitive or confidential data out of curiosity.
  • More than three-quarters of respondents say the risk to their organization caused by the insecurity of privileged users will increase over the next few years.
  • 54 percent of respondents at organizations with privilege-access controls in place said they could easily circumvent those controls, demonstrating the ineffectiveness of existing solutions.

That last point might be the most interesting of all, because it reveals that simply having some kind of user access policy in place—which is easy to do using the basic, default tools that are built into most modern software—is not enough to protect sensitive data. True security appears requires more than the simple protections of things such as  user accounts and internal firewalls.

BeyondTrust, which defines itself as "the security industry's only provider of Context-Aware Security Intelligence," is pitching the survey results as evidence of the need for comprehensive, policy-driven vulnerability and privilege management that is adapted to the particular importance and sensitivity (in other words, the "context") of a given resource or database. And in our age of ubiquitous leaks from internal sources, the company may be right. No one wants to be the next NSA.

The full results of the survey, which was based on responses from "265 IT decision-makers including security managers and network and systems engineers across a number of industries," are available on BeyondTrust's website.