"In our experience over-privileged scenarios account for approximately 65% of insider threat incidents, shadow IT 20% and carelessness 15%," Nayyar said.
Moreland has a list of labels for such employees, including "access hoarders" who "gobble up as much access as they possibly can and refuse to relinquish any of it, even when it's no longer needed."
Others, who he calls "innovators," are well intentioned — they are trying to be more productive — but one of the ways they do so is by circumventing IT policies.
Gumbs noted that the Verizon Data Breach Investigations Report found that, "privilege abuse is the most damaging of insider threats."
But he added that not all abuse of access privileges is innocent, and does not necessarily mean an employee is over-privileged. "In the majority of cases, users had the proper level of privilege for their roles, they simply abused those privileges for personal or financial gain," he said.
In those cases, he and other experts say identity and access management can reduce the security risks significantly.
"Over-privilege is a substantial concern," Overly said. "In general, the majority of users in businesses today are over-privileged. The concept of least privilege is seldom implemented properly and even more seldom addressed as personnel duties change and evolve over time."
Dennis Devlin, cofounder, CISO and senior vice president of privacy practice at SAVANTURE, said he sees the same thing. "In my experience most individuals who have been with an organization for a long time are over-privileged," he said. "Access privileges are accretive and tend to grow over time. The law of least privileges exists not just to prevent malicious access, but to also to prevent accidental or inadvertent disclosure."
He said better access management could reduce the need for intrusive monitoring. "Appropriate privileges keep individuals in their respective 'swim lanes,' reduce the need for excessive monitoring and make SIEM analysis much more effective," he said.
Beyond the legal and morale questions, however, the verdict is still out on how well UBA works.
Overly said in his experience, "it has a long way to go with regard to accuracy. All too often, the volume of false alarms causes the results to be disregarded when an actual threat is identified."
Nayyar said it does work, through analysis of unusual or "anomalous" behaviors in things like geolocation, elevated permissions, connecting to an unknown IP or installing unknown software for backdoor access to sensitive data (see sidebar).
She provided an example of flagging rogue behavior: A software engineer who had resigned from a company and was leaving in a month, exhibited behavior never seen before.
While on vacation, the employee, "logged in from a previously unseen IP address, accessed source code repository and downloaded sensitive files from a project he wasn't assigned to," she said.
Sign up for CIO Asia eNewsletters.