Not all accounts are created equal. In every organisation, a small number of accounts have the power to change system configurations, access all data, create or delete other accounts, and override security controls. These are privileged accounts — and they are the single most valuable target for cyber attackers.
If an attacker compromises a standard user account, they can see that person’s email and files. If they compromise a privileged account, they can see everything — and change anything. This is the difference between a minor incident and an existential breach.
What Makes an Account “Privileged”?
A privileged account is any account that has elevated permissions beyond what a standard user needs for day-to-day work. These accounts can:
- Install or remove software across the network
- Create, modify, or delete other user accounts
- Access all files and data — including sensitive financial, HR, or customer records
- Change security settings — disable firewalls, alter audit logs, modify access policies
- Move laterally across systems without triggering the access restrictions that apply to normal users
Diagram
Privileged vs Standard Account — Scope of Access
Side-by-side comparison showing a standard user with access to their own email, files, and applications versus a privileged account with access to all systems, configurations, security policies, and the ability to create or remove other accounts.
Privileged accounts exist in many forms that organisations often fail to track:
- Domain Administrator accounts in Active Directory
- Root accounts on Linux/Unix servers
- Global Administrator in Microsoft 365 and Azure AD
- Database administrator (DBA) accounts
- Service accounts used by applications to communicate with other systems
- Emergency or break-glass accounts kept for disaster recovery
- Local admin accounts on individual workstations
Why Attackers Prioritise Privileged Accounts
Cybercriminals and nation-state actors do not break into organisations by brute-forcing the front door. They find a way in — usually through phishing or exploiting a vulnerability — and then escalate privileges. The initial foothold is just the beginning. The real objective is always a privileged account.
Diagram
The Privilege Escalation Path — From Phishing Email to Domain Admin
Step-by-step attack chain: phishing email compromises a standard user, attacker harvests cached credentials, moves laterally to a system with admin credentials stored in memory, escalates to Domain Admin, and gains unrestricted access to the entire environment.
In the SolarWinds attack (2020), attackers compromised a software update mechanism to gain initial access to thousands of organisations. But the damage was done when they escalated to privileged accounts within those environments — accessing email systems, identity infrastructure, and security tools. Without privileged access, the initial compromise would have been contained.
The Colonial Pipeline ransomware attack (2021) was triggered by a single compromised VPN account that had administrative privileges. The attackers did not need to exploit sophisticated vulnerabilities — they logged in with valid credentials to an account that had far more access than it should have had.
According to CrowdStrike’s 2024 Global Threat Report, 80% of breaches involve compromised credentials, and privilege escalation is present in nearly every major incident investigation.
The Privilege Problem at Scale
Most organisations dramatically underestimate how many privileged accounts they have. A mid-sized company with 500 employees might have 100 standard user accounts for every one human administrator — but they might also have 200+ service accounts, local admin accounts on every workstation, and shared credentials for legacy systems that nobody has audited in years.
Diagram
The Hidden Privilege Iceberg
Iceberg visual — above the waterline: known admin accounts (Domain Admins, Global Admins). Below the waterline: service accounts, local admin accounts, shared credentials, emergency accounts, application service principals, embedded database credentials, and legacy system accounts that nobody tracks.
This sprawl of unmanaged privilege is what makes Privileged Access Management (PAM) essential. PAM is the discipline of identifying, securing, monitoring, and controlling all privileged access in your environment. It is not a single product — it is a combination of policies, processes, and tools.
Why This Matters
A compromised privileged account gives an attacker the same power as your most trusted administrator. They can exfiltrate data, deploy ransomware, destroy backups, and cover their tracks — often within hours. The cost of a breach involving privileged credentials is significantly higher than one involving standard accounts, because the blast radius is the entire organisation.
Insurance underwriters now routinely ask about privileged access controls. Organisations without PAM fundamentals face higher premiums, policy exclusions, or outright denial of cyber insurance coverage.
What to Do Now
- Ask IT to produce a list of all accounts with administrative or elevated privileges — including service accounts
- Determine whether privileged accounts are separated from day-to-day user accounts (they should be)
- Check whether MFA is enforced on all privileged accounts without exception
- Find out if there are any shared admin credentials in use
- Ask when the last review of privileged access was conducted
Evidence to Collect
- A current inventory of all privileged accounts (human and service)
- Documentation showing that admin accounts are separate from standard user accounts
- Proof that MFA is enforced on privileged access
- Records of the most recent privileged access review, including who approved continued access
- Any logs showing privileged account usage over the past 90 days
Common Mistakes
- Using admin accounts for daily work. Administrators who read email, browse the web, and perform admin tasks from the same account are creating a direct attack path. A phishing link clicked in an admin session compromises the entire environment.
- Not knowing how many privileged accounts exist. If you cannot list them, you cannot secure them. The first step is always discovery.
- Treating service accounts as low risk. Service accounts often have the highest privileges and the weakest controls — no MFA, passwords that never rotate, and no one monitoring their activity.
- Believing small organisations don’t need PAM. Attackers target organisations of all sizes. A ten-person company with an unprotected admin account is easier to breach than a large enterprise with PAM controls in place.
Knowledge Check
Question 1 of 4
What is the primary reason attackers target privileged accounts rather than standard user accounts?
- Privileged accounts have simpler passwords
- Privileged accounts grant access to all systems, data, and the ability to override security controls
- Privileged accounts are not monitored by antivirus software
- Privileged accounts are always connected to the internet
Reveal Answer
B. Privileged accounts are targeted because they provide unrestricted access to systems, data, configurations, and security controls — turning a single compromised credential into full organisational compromise.
Question 2 of 4
In the Colonial Pipeline attack, what enabled the attackers to gain access?
- A zero-day vulnerability in pipeline control software
- A compromised VPN account with administrative privileges
- An insider threat from a disgruntled employee
- A physical break-in at a data centre
Reveal Answer
B. The Colonial Pipeline attack was enabled by a single compromised VPN account that had administrative privileges. The attackers used valid credentials — no sophisticated exploit was needed.
Question 3 of 4
Which of the following is NOT typically a privileged account?
- A Domain Administrator account
- A standard user’s email account
- A service account used for application-to-application communication
- A break-glass emergency access account
Reveal Answer
B. A standard user’s email account is not a privileged account. Domain Admins, service accounts, and break-glass accounts all have elevated privileges that grant access beyond normal user capabilities.
Question 4 of 4
Why are service accounts often considered higher risk than human admin accounts?
- They cost more to operate
- They typically have high privileges, no MFA, static passwords, and minimal monitoring
- They are always accessible from the internet
- They are owned by third-party vendors
Reveal Answer
B. Service accounts are high risk because they often hold elevated privileges, cannot use MFA, have passwords that rarely or never rotate, and are seldom monitored — making them an attractive and persistent target for attackers.
Summary Notes — What is a Privileged Account?
Key Takeaways
- Privileged accounts have elevated permissions to change configurations, access all data, and override security controls.
- They exist in many forms: Domain Admins, root, Global Admins, service accounts, local admins, and break-glass accounts.
- Attackers always seek to escalate to privileged access — the initial compromise is just the starting point.
- Real-world breaches (SolarWinds, Colonial Pipeline) demonstrate that privileged account compromise leads to catastrophic outcomes.
- Most organisations dramatically underestimate the number of privileged accounts in their environment.
Action Items
- Request a full inventory of all privileged accounts (human and service).
- Verify that admin accounts are separated from day-to-day user accounts.
- Confirm MFA is enforced on every privileged account without exception.
- Identify and eliminate any shared admin credentials.
- Schedule a privileged access review within the next 30 days.
Compliance Relevance
Privileged access controls are required by ISO 27001 Annex A.9.2 (User Access Management), Cyber Essentials (Access Control — admin account separation), NIST CSF PR.AC-4 (Access Permissions and Authorisations), and PCI DSS Requirement 7 (Restrict Access to Cardholder Data). Cyber insurance applications now routinely assess PAM maturity.