According to a new global research released today by CyberArk, 79 percent of top security professionals believe that cybersecurity has taken a back seat in the previous year as other digital business efforts have accelerated. The CyberArk 2022 Identity Security Threat Landscape Report (http://www.cyberark.com/ISTL22) shows how the rise of human and machine identities – which can number in the hundreds of thousands per organisation – has resulted in an increase in identity-related cybersecurity “debt,” putting organisations at greater risk.
A Growing Identities Problem
Every major IT or digital project increases the number of interactions between people, applications, and processes, resulting in the creation of a high number of digital identities. If these digital identities are left unmanaged and unprotected, they can pose a serious cybersecurity threat:
- Sixty-eight percent of non-humans or bots have access to sensitive data and assets.The average staff member has greater than 30 digital identities.
- Machine identities now outweigh human identities by a factor of 45x on average.
- Eighty-seven percent store secrets in multiple places across DevOps environments, while 80% say developers typically have more privileges than necessary for their roles.
The 2022 Attack Surface
The attack surface is being expanded by secular trends like as digital transformation, cloud migration, and adversary creativity. The report examines the frequency and types of cyber-attacks that security teams face, as well as areas where they see increased risk:
- Credential access was the number one area of risk for respondents (at 40%), followed by defense evasion (31%), execution (31%), initial access (29%) and privilege escalation (27%).
- Over 70% of the organizations surveyed have experienced ransomware attacks in the past year: two each on average.
- Sixty-two percent have done nothing to secure their software supply chain post the SolarWinds attack and most (64%) admit a compromise of a software supplier would mean an attack on their organization could not be stopped.
Getting Into Cybersecurity Debt
Recent organization-wide digital endeavours, according to security experts, have come at a cost. This cost is known as Cybersecurity Debt, which refers to security programmes and solutions that have evolved but not kept up with what enterprises have put in place to support operations and growth. This debt has resulted from a failure to adequately manage and secure access to sensitive data and assets, as well as a lack of Identity Security policies that are increasing risk and causing consequences. The debt is exacerbated by recent increases in geopolitical tensions, which have already had a direct impact on critical infrastructure, emphasising the need for greater awareness of the physical ramifications of cyber-attacks:
- Seventy-nine percent agree that their organization prioritized maintaining business operations over ensuring robust cyber security in the last 12 months.
- Less than half (48%) have Identity Security controls in place for their business-critical applications.
Udi Mokady, founder, chairman and CEO, CyberArk: “The past few years have seen spending on digital transformation projects skyrocket to meet the demands of changed customer and workforce requirements. The combination of an expanding attack surface, rising numbers of identities, and behind-the-curve investment in cybersecurity – what we call Cybersecurity Debt – is exposing organizations to even greater risk, which is already elevated by ransomware threats and vulnerabilities across the software supply chain. This threat environment requires a security-first approach to protecting identities, one capable of outpacing attacker innovation.”
Rohan Vaidya, Regional Director of Sales – India, CyberArk said, “Digital transformation is undoubtedly breaking down the traditional barriers that used to prevent organisations from remaining competitive and agile within a rapidly evolving business landscape. This, however, comes with an exponential increase in cyber risks. Organisations in India should eliminate these risks by adopting an identity-focused strategy that will secure access for all identities across any application or system from anywhere via any device.”