According to CyberArk’s Global Advanced Threat Landscape Report 2018, nearly half (46%) of those IT security professionals questioned stated that they rarely change their security strategy substantially even after the business has experienced a cyber attack. This level of cyber security inertia and an apparent failure to learn from past incidents puts sensitive data, infrastructure and assets at risk.
An overwhelming number of IT security professionals believe that securing an environment begins with protecting privileged accounts. 89% of respondents stated that IT infrastructure and critical data are not fully protected unless privileged accounts, credentials and secrets are secured.
Respondents to the study* named the greatest cyber security threats they currently face to be targeted phishing attacks (56%), insider threats (51%), ransomware or malware (48%), unsecured privileged accounts (42%) and unsecured data stored in the cloud (41%).
IT security respondents also indicated that the proportion of users who have local administrative privileges on their endpoint devices increased from 62% in the 2016 survey to 87% in 2018. That represents a 25% jump and is perhaps indicative of employee demands for flexibility overriding security Best Practice.
Inertia could lead to data compromise
The survey findings suggest that security inertia has infiltrated many organisations, with an inability to repel or contain cyber threats – and the risks that this might entail – supported by other findings.
46% of respondents say their organisation cannot prevent attackers from breaking into internal networks each time this is attempted. 36% report that administrative credentials are stored in Word or Excel documents on company PCs. 50% admit that their customers’ privacy or personally identifiable information could be at risk because their data isn’t secured beyond the legally-required basics.
The automated processes inherent in cloud and DevOps mean that privileged accounts, credentials and secrets are being created at a prolific rate. If compromised, these can give attackers a crucial ‘jumping-off’ point to achieve lateral access to sensitive data across networks, data and applications or to use cloud infrastructure for illicit cryptomining activities. Organisations increasingly recognise this security risk, but still adopt a somewhat relaxed approach towards cloud security.
The survey found that nearly half (49%) of organisations have no privileged account security strategy for the cloud. More than two-thirds (68%) defer to their vendor on matters of cloud security, relying on built-in security capabilities, while 38% stated that their cloud provider doesn’t deliver adequate protection.
Changing the security culture
Overcoming cyber security inertia necessitates cyber security becoming central to organisational strategy and behaviour. This isn’t something that’s dictated by competing commercial needs, though. According to the survey, 86% of IT security professionals feel security should be a regular Board-level discussion topic, while 44% said they recognise or reward those employees who help to prevent an IT security breach. This figure increases to nearly three quarters (74%) in the US. Just 8% of companies continuously perform ‘Red Team’ exercises designed to uncover critical vulnerabilities and identify effective responses.
Rich Turner, vice-president for the EMEA region at CyberArk, told Risk UK: “When target organisations haven’t moved with the times, cyber attackers often have an easy time of it and are able to penetrate traditional perimeter defences without any undue effort. Companies must show greater urgency to change the game, which means treating the risk associated with cyber security in the same way as wider business risks such as competition and the economy. Understanding how changing service delivery models like cloud and DevOps affect the attack surface is a crucial component of cyber risk. Business leaders have a critical role to play here in terms of transforming the risk mindset and building cyber resilience right across the enterprise.”
*CyberArk’s Global Advanced Threat Landscape Report 2018 marks the eleventh document in the series. The survey was conducted by Vanson Bourne among 1,300 IT security decision-makers, DevOps and App Developer professionals and line of business owners across seven countries worldwide