grandeduc - Fotolia
There is a worrying lack of action by businesses to improve security following an attack across the global technology industry, according to the latest cyber threat report by privileged account security firm CyberArk.
The report also highlights poor practices concerning cloud and endpoint security, and from security professionals themselves, putting sensitive data, infrastructure, assets and even employers at risk.
Every organisation has something of value to a cyber attacker, and greater investments in cloud technologies and DevOps processes mean the attack surface is expanding exponentially, and attackers continue to target and exploit privileged accounts, credentials and secrets to accomplish their goals, the report said.
Nearly half (46%) of IT security professionals rarely change their security strategy substantially, even after experiencing a cyber attack, according to a CyberArk-commissioned poll of 1,300 IT security decision makers, developers and line of business owners in seven countries.
This level of cyber security inertia and failure to learn from past incidents puts sensitive data, infrastructure and assets at risk, the CyberArk report said.
The survey also revealed that while 89% of IT security professionals believe securing an environment starts with protecting privileged accounts and more than four in 10 cite it as a top security risk, more than a quarter (28%) are not putting this knowledge into action.
Respondents said the greatest cyber security threats they currently face are targeted phishing attacks (56%), insider threats (51%), ransomware or other malware (48%), unsecured privileged accounts (42%), and unsecured data stored in the cloud (41%).
Demands for flexibility
The proportion of users who have local administrative privileges on their endpoint devices increased from 62% in 2016 to 87% in 2018, a 25% increase the report said could indicate that employee demands for flexibility have been allowed to trump security best practices.
The survey findings suggest security inertia has infiltrated many organisations, with an inability to repel or contain cyber threats and the resultant impact on the business.
This inertia is reflected in the fact that 46% of respondents said their organisation cannot prevent attackers from breaking into internal networks every time it is attempted, 36% said that administrative credentials are stored in Word or Excel documents on company PCs, and half admitted their customers’ privacy or PII (personally identifiable information) could be at risk because their data is not secured beyond the legally-required basics.
The report notes that the automated processes inherent in cloud and DevOps mean that privileged accounts, credentials and secrets are being created at a prolific rate. If compromised, the report said these can give attackers a crucial jumping-off point to achieve lateral access to sensitive data across networks, data and applications or to use cloud infrastructure for illicit crypto mining activities.
The survey shows that while organisations increasingly recognise this security risk, they still have a relaxed approach towards cloud security, with half of organisations polled having no privileged account security strategy for the cloud and more than two-thirds (68%) relying on built-in security capabilities.
While cloud adoption has increased dramatically in recent years, the report said there is still a limited understanding of the challenges of securing cloud workloads in IaaS (infrastructure as a service) and PaaS (platform as a service) environments.
“There are still gaps in the understanding of who is responsible for security in the cloud, even though the public cloud suppliers are very clear that the enterprise is responsible for securing cloud workloads. Additionally, few understand the full impact of the unsecured secrets that proliferate in dynamic cloud environments and automated processes,” the report said.
Overcoming cyber security inertia, the report said, requires cyber security to become central to organisational strategy and behaviour, not something that is dictated by competing commercial needs.
According to the survey, 86% of IT security professionals feel security should be a regular board-level discussion topic, and 44% said they recognise or reward employees who help prevent an IT security breach, increasing to nearly three quarters (74%) in the US.
However, only 8% of companies continuously perform red team exercises to uncover critical vulnerabilities and identify effective responses. Investing in regular red team exercises could help determine where to focus efforts and prioritise risk reduction, the report said.
Treating the risk with urgency
Rich Turner, European vice-president at CyberArk, said cyber attackers are often able to penetrate traditional perimeter defences when targeting organisations that have not moved with the times.
“Companies must show greater urgency to change the game, which means treating the risk associated with cyber security in the same way as wider business risks such as competition and the economy,” he said.
According to Turner, understanding how changing service delivery models – like cloud and DevOps – affect the attack surface is a crucial component of cyber risk. “Business leaders have a critical role to play in transforming the risk mindset and building cyber resilience across the enterprise,” he said.
There is a need for a more current and realistic conversation about what happens when an attack succeeds, the report said, recommending that the priority should be to recognise that an attack will succeed and examine how to minimise its impact and return to normal operations.
Security spend is currently not invested proportionately to the value of the asset that is being protected, or on securing privileged access to that asset, the report said.
“Thus, the question of business risk must be part of security strategy to focus on better risk mitigation strategies that could protect the company from financial harm and reputational damage,” the report concludes.