Global Threat Landscape Report reveals “major cyber security inertia infecting organisations worldwide”

According to CyberArk’s Global Advanced Threat Landscape Report 2018, nearly half (46%) of those IT security professionals questioned stated that they rarely change their security strategy substantially even after the business has experienced a cyber attack. This level of cyber security inertia and an apparent failure to learn from past incidents puts sensitive data, infrastructure and assets at risk.

An overwhelming number of IT security professionals believe that securing an environment begins with protecting privileged accounts. 89% of respondents stated that IT infrastructure and critical data are not fully protected unless privileged accounts, credentials and secrets are secured.

Respondents to the study* named the greatest cyber security threats they currently face to be targeted phishing attacks (56%), insider threats (51%), ransomware or malware (48%), unsecured privileged accounts (42%) and unsecured data stored in the cloud (41%).

IT security respondents also indicated that the proportion of users who have local administrative privileges on their endpoint devices increased from 62% in the 2016 survey to 87% in 2018. That represents a 25% jump and is perhaps indicative of employee demands for flexibility overriding security Best Practice.

Inertia could lead to data compromise 

The survey findings suggest that security inertia has infiltrated many organisations, with an inability to repel or contain cyber threats – and the risks that this might entail – supported by other findings.

46% of respondents say their organisation cannot prevent attackers from breaking into internal networks each time this is attempted. 36% report that administrative credentials are stored in Word or Excel documents on company PCs. 50% admit that their customers’ privacy or personally identifiable information could be at risk because their data isn’t secured beyond the legally-required basics.

The automated processes inherent in cloud and DevOps mean that privileged accounts, credentials and secrets are being created at a prolific rate. If compromised, these can give attackers a crucial ‘jumping-off’ point to achieve lateral access to sensitive data across networks, data and applications or to use cloud infrastructure for illicit cryptomining activities. Organisations increasingly recognise this security risk, but still adopt a somewhat relaxed approach towards cloud security.

The survey found that nearly half (49%) of organisations have no privileged account security strategy for the cloud. More than two-thirds (68%) defer to their vendor on matters of cloud security, relying on built-in security capabilities, while 38% stated that their cloud provider doesn’t deliver adequate protection. 

Changing the security culture

Overcoming cyber security inertia necessitates cyber security becoming central to organisational strategy and behaviour. This isn’t something that’s dictated by competing commercial needs, though. According to the survey, 86% of IT security professionals feel security should be a regular Board-level discussion topic, while 44% said they recognise or reward those employees who help to prevent an IT security breach. This figure increases to nearly three quarters (74%) in the US. Just 8% of companies continuously perform ‘Red Team’ exercises designed to uncover critical vulnerabilities and identify effective responses.

Rich Turner, vice-president for the EMEA region at CyberArk, told Risk UK: “When target organisations haven’t moved with the times, cyber attackers often have an easy time of it and are able to penetrate traditional perimeter defences without any undue effort. Companies must show greater urgency to change the game, which means treating the risk associated with cyber security in the same way as wider business risks such as competition and the economy. Understanding how changing service delivery models like cloud and DevOps affect the attack surface is a crucial component of cyber risk. Business leaders have a critical role to play here in terms of transforming the risk mindset and building cyber resilience right across the enterprise.” 

*CyberArk’s Global Advanced Threat Landscape Report 2018 marks the eleventh document in the series. The survey was conducted by Vanson Bourne among 1,300 IT security decision-makers, DevOps and App Developer professionals and line of business owners across seven countries worldwide

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts