Businesses need to reassess how they look at addressing internal excessive privilege by shifting away from viewing it as a compliance and government requirement to making it more about a risk management exercise, says IDC's Hue.

"The shift in mentality has to start with the C-level executives, and helping them understand the risks associated with not having proper access governance programmes," he says.

Hue adds that companies can also conduct both external penetration tests [EPT] and internal penetration tests [IPT].

"These penetration tests would be deployed in order to mimic vulnerabilities which lay outside, and within the firewall," he says.

IPT is conducted from the vantage point of an internal user and using the network access a typical users has, and from this point, the organisation is able to see how far privileges can be escalated and how much information within the network is at risk of a breach.