An increase in cyber threats and a failure to learn from past incidents place the security of data, infrastructure and assets at risk, according to a new threat landscape report.
CISOs, CIOs and CTOs are all too familiar with the expanding privileged account security attack surface – and how it poses a risk to an organization. But that hasn’t stopped them from taking a relaxed stance towards cloud security, according to the CyberArk Global Advanced Threat Landscape Report for 2018.
46 percent of IT security professionals rarely change their security strategy substantially – even after suffering a cyber-attack, new data indicates. At the same time, most IT security officers fully understand where the main culprit behind the biggest data breaches lies: corporate ID theft.
Privileged accounts & credentials
89 percent agree that IT infrastructure and critical data are not fully protected unless privileged accounts, credentials and secrets are secured. However, little is being done to address this matter.
“The automated processes inherent in cloud and DevOps mean privileged accounts, credentials and secrets are being created at a prolific rate,” the report states. “If compromised, these can give attackers a crucial jumping-off point to achieve lateral access to sensitive data across networks, data and applications or to use cloud infrastructure for illicit crypto mining activities. Organizations increasingly recognize this security risk, but still have a relaxed approach toward cloud security.”
Nearly half of the organizations surveyed say they can't always prevent attackers from breaking into internal networks, and 36 percent admit to storing administrative credentials in plain text in Word or Excel documents on company endpoints.
Half admit that their customers' personally identifiable information (PII) could be at risk because their data is not secured beyond the legal minimum (i.e. GDPR).
Changing the security culture
49 percent of organizations have no privileged account security strategy for the cloud, and 68 percent rely on built-in security capabilities (defer to their vendor on cloud security). 38 percent don’t trust their cloud vendor to deliver adequate protection.
However, the same IT security types believe they know how to fix their situation, and it starts with changing the company culture.
First on their self-drafted list of to-dos is reportedly overcoming cyber security inertia by making IT security central to organizational strategy and behavior.
86 percent of IT security professionals agree security should be a regular board-level discussion topic, and 44 percent report recognizing or rewarding employees who help prevent a breach. In the U.S., that number is nearly three quarters (74 percent).
Insurance brokerage firm Marsh uncovered similar trends in its own global cybersecurity assessment. Senior executives at large companies are failing to make ends meet when it comes to cyber resilience.
Few organizations can manage the risk of a cyber-attack, even though high-ranking executives at these organizations view cybersecurity as a top risk management priority.
“Despite this growing awareness and rising concern, only 19% of respondents said they are highly confident in their organization’s ability to mitigate and respond to a cyber event. Moreover, only 30% said they have developed a plan to respond to cyber-attacks,” the report reads.