The rise of human and machine identities – often running into the hundreds of thousands per organisation – has driven a build-up of identity-related cybersecurity ‘debt’, exposing them to greater cybersecurity risk.
The CyberArk 2022 Identity Security Threat Landscape Report says that while security programmes have expanded, they have not kept pace with organisations’ investments focused on driving business operations and growth. This debt has arisen through not properly managing and securing access to sensitive data and assets, and a lack of Identity Security controls is driving up risk and creating consequences.
The debt is further compounded by the recent rise in geopolitical tensions, which have reinforced the need for heightened awareness of the physical consequences of cyberattacks, especially on critical infrastructure.
Seventy-nine percent of senior security professionals state that cybersecurity has taken a back seat in the last year in favour of accelerating other digital business initiatives.
Fewer than half (48 percent) have Identity Security controls in place for their business-critical applications.
Digital identities going unmanaged
The survey also identifies the cybersecurity risks for organisations if digital identities go unmanaged and unsecured. It reports that 68 percent of non-humans or bots have access to sensitive data and assets.
Moreover, the average staff member has more than 30 digital identities. Machine identities now outweigh human identities by a factor of 45x on average.
The report also shows that 87 percent store secrets in multiple places across DevOps environments, while 80 percent say developers typically have more privileges than necessary for their roles.
“Spending on digital transformation projects has skyrocketed in recent years to meet the demands of changed customer and workforce requirements,” said Udi Mokady, founder, chairman and CEO, CyberArk.
“The combination of an expanding attack surface, rising numbers of identities and behind-the-curve investment in cybersecurity – what we call cybersecurity debt – is exposing organisations to even greater risk, which is already elevated by ransomware threats and vulnerabilities across the software supply chain. This threat environment requires a security-first approach to protecting identities, one capable of outpacing attacker innovation.”
The 2022 attack surface
Digital transformation, cloud migration and attacker innovation are expanding the attack surface. Credential access was the number one area of risk for respondents (at 40 percent), followed by defence evasion (31 percent), execution (31 percent), initial access (29 percent) and privilege escalation (27 percent).
More than 70 percent of the organisations surveyed have experienced ransomware attacks in the past year: two each on average.
Yet 62 percent have done nothing to secure their software supply chain post the SolarWinds attack and most (64 percent) admit a compromise of a software supplier would mean an attack on their organization could not be stopped.
What can be done about cybersecurity debt?
Eighty-five percent of security pros say that a Software Bill of Materials would reduce the risk of compromise stemming from the software supply chain.
The top three measures that most CIOs and CISOs have introduced (or plan to introduce), each cited by 54 percent of respondents: real-time monitoring and analysis to audit all privileged session activity; least privilege security / Zero Trust principles on infrastructure that runs business-critical applications; and processes to isolate business-critical applications from internet-connected devices to restrict lateral movement.
The top three strategic initiatives to reinforce Zero Trust principles are: workload security; Identity Security tools; and data security.
