Cybersecurity debt on the rise

CyberArk’s 2022 Identity Security Threat Landscape Report identifies how the rise of human and machine identities – often running into the hundreds of thousands per organisation – has driven a buildup of identity-related cybersecurity “debt”, exposing businesses to greater cybersecurity risk.  

An Increasing Identities Problem 

Every major IT or digital initiative results in increasing interactions between people, applications and processes, creating large numbers of digital identities. If these digital identities go unmanaged and unsecured, they can represent significant cybersecurity risk to UK businesses:  

·       Sixty-seven percent of non-humans or bots have access to sensitive data and assets. 

·       Machine identities now outweigh human identities by a factor of 39x on average. 

·       The average staff member has greater than 24 digital identities.1  

·       Seventy-nine percent store secrets in multiple places across DevOps environments, while 73% say developers typically have more privileges than necessary for their roles. 

Secular trends of digital transformation, cloud migration and attacker innovation are expanding the attack surface. The report delves into the prevalence and type of cyber threats facing security teams and areas where they see elevated risk:    

·       Over 70% of UK organisations surveyed have experienced ransomware attacks in the past year: two each on average.  

·       Sixty-five percent have done nothing to secure their software supply chain post the SolarWinds attack and most (64%) admit a compromise of a software supplier would mean an attack on their organisation could not be stopped. 

·       Credential access was the number one area of risk for respondents (at 37%), followed by execution (33%), defence evasion (31%), initial access (31%) and privilege escalation (30%).2  

The Price of Cybersecurity Debt 

Security professionals agree that recent organisation-wide digital initiatives have come at a price. This price is Cybersecurity Debt: security programmes and tools that have grown but not kept pace with what organisations have put in place to drive operations and support growth. 

This debt has arisen through not properly managing and securing access to sensitive data and assets, and a lack of Identity Security controls is driving up risk and creating consequences. The debt is compounded by the recent rise in geopolitical tensions, which have already had direct impact on critical infrastructure, highlighting the need for heightened awareness of the physical consequences of cyber attacks:   

·       Seventy-eight percent agree that their organisation prioritised maintaining business operations over ensuring robust cyber security in the last 12 months. 

·       Less than half (47%) have Identity Security controls in place for their business-critical applications. 

Rich Turner, Senior Vice President of Sales, CyberArk: “Turbulent recent times have meant UK organisations have had to quickly rethink and adapt to changing market conditions. Primarily, this meant an acceleration in their digital strategies as they sought to increase agility and underpin competitiveness. The pivot to digital though, with the associated creation of huge numbers of human and machine identities, has not been matched by investments in the cybersecurity tools and programmes to secure these identities, the majority of which have access to sensitive assets and data within the organisation. This has created an identity-centric attack surface that is ripe for exploitation, added to the risks from ransomware and software supply chain attacks that firms in the UK are also having to deal with; paying down this cybersecurity debt with a security-first approach to protecting identities should be a priority for 2022.”