According to a new global survey by CyberArk, 45% of local organisations believe their networks can be easily infiltrated by cyber attacks due to lack of awareness or limited cybersecurity protocol towards privileged access security.
The CyberArk Global Advanced Threat Landscape 2019 Report showed that a general lack of awareness regarding the existence of privileged credentials – primarily across Internet of Things (IoT), DevOps, robotic process automation (RPA), and in the cloud – is a compounding risk.
Consequently, this creates a perfect opportunity for attackers to exploit legitimate privileged access to move laterally across a network to conduct reconnaissance and progress their mission.
Additionally, the report revealed that preventing this lateral movement is the main reason why organisations are mapping security investments against key mitigation points along the cyber kill chain, with 30% of total planned security spend in the next two years to focus on stopping such privilege escalation and lateral movement.
Proactive investments to reduce risk are critical given what this year’s survey respondents cite as their top threats:
- 79% identified hackers in their top three greatest threats to critical assets, followed by organised crime (66%), privileged insiders (44%), and hacktivists (41%).
- 60% of respondents cited external attacks, such as phishing, as one of the greatest security risks currently facing their organisation, followed by ransomware (62%) and Shadow IT (57%).
The survey also found that while local organisations view privileged access security as a core component of an effective cybersecurity program, this understanding has not yet translated to action for protecting foundational digital transformation technologies:
- 81% state that IT infrastructure and critical data are not fully protected unless privileged accounts, credentials, and secrets are secured.
- Despite this, only 56% have a privileged access security strategy in place for protecting business critical applications and cloud infrastructure respectively, with even fewer having a strategy for DevOps (28%) or IoT (28%).
- Only 30% understood that privileged accounts, credentials, and secrets exist in containers, with 32% understood that they exist in source code repositories, and 42% understood that they are present in privileged applications and processes such as RPA.
“While local organisations are recognising the necessity to increase digital transformation efforts by investing in technology to secure the cloud, IoT, and automation, these findings point to the need to commit more to tighten data security beyond just meeting compliance regulations such as the Personal Data Protection Act and paying hefty fines,” said Vincent Goh, Senior Vice President for Asia Pacific and Japan at CyberArk.
“The results show that businesses don’t have a high degree of confidence in their ability to defend themselves from cyber attacks. With nearly half of respondents being impacted by a cyber attack in the past 36 months, business and technology leaders must take on a security-first mindset, implementing robust cyber strategies to prioritise the protection of critical assets and data,” he added.
