Massive growth of digital identities is driving rise in cybersecurity debt

Udi Mokady, founder and Chief Executive Officer at CyberArk

CyberArk reports that 87% of Australian senior security experts state that cybersecurity has taken a back seat in the last year in favour of accelerating digital business initiatives.

What were the key insights of CyberArk’s survey?

The CyberArk 2022 Identity Security Threat Landscape Report identifies how the rise of human and machine identities – running into the hundreds of thousands per firm – has built up identity-related cybersecurity “debt”, exposing firms to greater cybersecurity risk.

  • 87% of Australian organisations agree that they prioritised maintaining business operations over ensuring robust cybersecurity in the last 12 months
  • 86% of Australian organisations surveyed stated that over the last 12 months, the accelerated rate of employee churn/turnover has caused security issues eg. through not de-provisioning access rights compared to 68% globally
  • Machine identities now outweigh human identities by a factor of 45x
  • The survey showed 76% of security leaders in Australia admit their organisation cannot stop a supply chain-related attack
  • 84% of energy and utilities firms have been hit with a software supply chain related attack.

What is the effect of rising digital identities on cybersecurity?

Every major digital initiative results in increasing interactions between people, apps, and processes, creating large numbers of digital identities. If these digital identities go unmanaged, they can represent significant cybersecurity risk. Key Australian findings include:

  • 85% of Australian firms indicated that bots have access to sensitive data and assets.
  • Machine identities now outweigh human identities by a factor of 15x on an average.
  • The average staff member in Australia has greater than 33 digital identities.1
  • 91% of firms surveyed store secrets in multiple places across DevOps environments, while 84% say developers have more privileges than necessary for their roles.

What does the attack surface look like?

Secular trends of digital transformation, cloud migration and attacker innovation are expanding the attack surface. The report delves into the prevalence and type of cyber threats facing security teams and areas where they see elevated risk:

  • 80% of firms surveyed have experienced ransomware attacks in the past year
  • 79% of firms have done nothing to secure their software supply chain after the SolarWinds attack, compared to 62% globally. 76% of those surveyed admit a compromise of a software supplier means an attack on their firm couldn’t be stopped.
  • Credential access was the major area of risk for respondents (35%) – then execution (34%), exfiltration (31%), lateral movement (30%) and privilege escalation (30%).

How are firms getting into cybersecurity debt?

Security professionals agree that recent organisation-wide digital initiatives have come at a price. This price is Cybersecurity Debt: security programs and tools have grown but not kept pace with what organisations have put in place to drive operations and support growth.

This debt has arisen through not properly managing and securing access to sensitive data and assets, and a lack of Identity Security controls is driving up risk. The debt is compounded by the recent rise in geopolitical tensions, which have already had direct impact on infrastructure, highlighting the need for heightened awareness of the physical consequences of attacks:

  • 87% of Australian organisations report prioritising the maintenance of business operations over ensuring robust cyber security in the last 12 months (compared to 79% globally).
  • 56% of surveyed oganisations have Identity Security controls in place for their business-critical applications (compared to 48% globally)

Thomas Fikentscher, regional director of Australia and New Zealand, CyberArk: “While cyber risk awareness has generally risen amongst executives and board members, it has not necessarily triggered the required programmatic focus and funding to mature core cybersecurity controls among Australian businesses across all sizes and industries.”

“The volume of machine and human identities has steadily grown and will play into the hands of malicious actors unless the current cybersecurity debt is addressed with the use of strong access controls and by enforcing Zero Trust principles surrounding critical data and assets.”

“Compromising vital cybersecurity controls in favour of rapid introduction of new digital initiatives is a risky endeavour and should be brought into balance in 2022 and beyond.”

Udi Mokady, founder and CEO, CyberArk: “The past few years have seen spending on digital shift projects skyrocket to meet the demands of changed client and workforce needs.”

“The combination of an expanding attack surface, rising numbers of identities, and behind-the-curve investment in cybersecurity (Cybersecurity Debt) – is exposing firms to risk.”

“This is already elevated by ransomware threats and vulnerabilities across the software supply chain. This threat environment requires a security-first approach to protecting identities, one capable of outpacing attacker innovation,” he further commented.

What can be done?

  • Push for Transparency: 87% of Australian respondents say that a Software Bill of Materials would reduce the risk of compromise stemming from the software supply chain.
  • Introduce Strategies to Manage Sensitive Access: In Australia the top three measures that most CIOs and CISOs questioned in the survey have introduced (or plan to introduce):
  1. Zero Trust principles on infrastructure that runs business-critical applications.
  2. Process to monitor our SaaS user accounts and access.
  3. Eliminating embedded credentials in order to secure passwords, secrets and other credentials used by applications, machines, and scripts.
  • Prioritise Identity Security Controls to Enforce Zero Trust: The top 3 initiatives to reinforce Zero Trust principles are: workload security; Identity Security tools and data security.