A new global report released today by CyberArk (NASDAQ: CYBR) shows that 87% of Australian senior security professionals surveyed state that cybersecurity has taken a back seat in the last year in favour of accelerating digital business initiatives.
The CyberArk 2022 Identity Security Threat Landscape Report identifies how the rise of human and machine identities – often running into the hundreds of thousands per organisation – has driven a buildup of identity-related cybersecurity “debt”, exposing organisations to greater cybersecurity risk.
Eighty-seven percent of Australian organisations agree that they prioritised maintaining business operations over ensuring robust cybersecurity in the last 12 months
Eighty-six percent of Australian organisations surveyed stated that over the last 12 months, the accelerated rate of employee churn/turnover has caused security issues eg. through not de-provisioning access rights compared to sixty-eight percent globally
Machine identities now outweigh human identities by a factor of 45x
Seventy-six percent of security leaders in Australia admit their organisation cannot stop a supply chain-related attack
Eighty-eight percent of energy and utilities companies have been hit with a successful software supply chain related attack.
A Growing Identities Problem
Every major IT or digital initiative results in increasing interactions between people, applications, and processes, creating large numbers of digital identities. If these digital identities go unmanaged and unsecured, they can represent significant cybersecurity risk. Key Australian findings include:
85 % of Australian organisations indicated that non-humans or bots have access to sensitive data and assets.
In Australia, machine identities now outweigh human identities by a factor of 15x on an average.
The average staff member in Australia has greater than 33 digital identities.1
91% of Australian organisations surveyed store secrets in multiple places across DevOps environments, while 84% say developers typically have more privileges than necessary for their roles.
The 2022 Attack Surface
Secular trends of digital transformation, cloud migration and attacker innovation are expanding the attack surface. The report delves into the prevalence and type of cyber threats facing security teams and areas where they see elevated risk:
80% of Australian organisations surveyed have experienced ransomware attacks in the past year: two each on average.
79% of Australian organisations have done nothing to secure their software supply chain following the SolarWinds attack, compared to 62% globally. 76% of those surveyed from Australia admit a compromise of a software supplier would mean an attack on their organisation could not be stopped.
Credential access was the number one area of risk for Australian respondents (at 35 percent) – followed by execution (34 percent), exfiltration (31 percent), lateral movement (30 percent) and privilege escalation (30 percent).2
Getting Into Cybersecurity Debt
Security professionals agree that recent organisation-wide digital initiatives have come at a price. This price is Cybersecurity Debt: security programs and tools have grown but not kept pace with what organisations have put in place to drive operations and support growth. This debt has arisen through not properly managing and securing access to sensitive data and assets, and a lack of Identity Security controls is driving up risk and creating consequences. The debt is compounded by the recent rise in geopolitical tensions, which have already had direct impact on critical infrastructure, highlighting the need for heightened awareness of the physical consequences of cyber-attacks:
87% of Australian organisations report prioritising the maintenance of business operations over ensuring robust cyber security in the last 12 months (compared to 79% globally).
56% have Identity Security controls in place for their business-critical applications (compared to 48% globally)
Thomas Fikentscher, regional director of Australia and New Zealand, CyberArk: “While cyber risk awareness has generally risen amongst executives and board members, it has not necessarily triggered the required programmatic focus and funding to mature core cybersecurity controls among Australian businesses across all sizes and industries. The volume of machine and human identities has steadily grown and will play into the hands of malicious actors unless the current cybersecurity debt is rapidly addressed with the implementation of strong and adaptive access controls and by enforcing Zero Trust principles surrounding critical data and assets. Compromising fundamental cybersecurity controls in favour of rapid introduction of new digital initiatives is a risky endeavour and should be brought into balance in 2022 and beyond.”
Udi Mokady, founder, chairman and CEO, CyberArk: “The past few years have seen spending on digital transformation projects skyrocket to meet the demands of changed customer and workforce requirements. The combination of an expanding attack surface, rising numbers of identities, and behind-the-curve investment in cybersecurity - what we call Cybersecurity Debt - is exposing organisations to even greater risk, which is already elevated by ransomware threats and vulnerabilities across the software supply chain. This threat environment requires a security-first approach to protecting identities, one capable of outpacing attacker innovation.”
What Can Be Done?
Push for Transparency: 87% of Australian respondents say that a Software Bill of Materials would reduce the risk of compromise stemming from the software supply chain.
Introduce Strategies to Manage Sensitive Access: In Australia the top three measures that most CIOs and CISOs questioned in the survey have introduced (or plan to introduce):
Least privilege security / Zero Trust principles on infrastructure that runs business-critical applications.
Process to monitor our SaaS user accounts and access.
Eliminating embedded credentials in order to secure passwords, secrets and other credentials used by applications, machines, and scripts.
Prioritise Identity Security Controls to Enforce Zero Trust Principles: The top three strategic initiatives to reinforce Zero Trust principles are: workload security; Identity Security tools and data security.
About the Report
The 2022 CyberArk Identity Security Threat Landscape Report represents the findings of a worldwide
survey conducted by Vanson Bourne of 1,750 IT security decision makers, highlighting their experiences over the past year in supporting their organisations’ expanding digital initiatives. Respondents were based in the US, UK, France, Germany, Japan, Italy, Spain, Brazil, Mexico, Israel, Singapore, and Australia. To download a copy of the report, please visit: http://www.cyberark.com/ISTL22
Additional Assets:
Report landing page: https://www.cyberark.com/ISTL22
Blog: How Digital Identities Drive Cybersecurity Debt, the Hidden Transformation Trade-Off
1 - Respondents were asked to estimate the number of applications and accounts, on average, accessed per person in their organisation and not managed by federated identities.
2- Respondents were asked about the cyber attacker tactics and techniques (as laid out in the MITRE ATT&CK® Matrix for Enterprise covering cloud-based techniques) that represented the most risk to their organisation.
# # #
Copyright © 2022 CyberArk Software. All Rights Reserved. All other brand names, product names, or trademarks belong to their respective holders.
About CyberArk
CyberArk (NASDAQ: CYBR) is the global leader in Identity Security. Centered on privileged access management, CyberArk provides the most comprehensive security offering for any identity – human or machine – across business applications, distributed workforces, hybrid cloud workloads and throughout the DevOps lifecycle. The world’s leading organisations trust CyberArk to help secure their most critical assets. To learn more about CyberArk, visit https://www.cyberark.com, read the CyberArk blogs or follow on Twitter via @CyberArk, LinkedIn or Facebook.