CyberArk survey: AI tool use, employee churn, economic pressures fuel identity attack surface

A new global report released today by CyberArk (NASDAQ: CYBR) shows how the tension between difficult economic conditions and the pace of technology innovation, including the evolution of artificial intelligence (AI), is influencing the growth of identity-led cyber security exposure.

The CyberArk 2023 Identity Security Threat Landscape Report details how these issues – allied to an expected 240% growth in human and machine identities – have the potential to result in a compounding of ‘cyber debt’: where investment in digital and cloud initiatives outpaces cyber security spend, creating a rapidly expanding and unsecured identity-centric attack surface.

Economic squeeze allied to pace of digital acceleration puts organisations at risk

In 2022, organisations experienced growing cyber debt, where security spend over the pandemic period lagged investment in broader digital business initiatives. In 2023, levels of cyber debt are at risk of compounding, driven by an economic squeeze, elevated levels of staff turnover, a consumer spend downturn and an uncertain global environment. With investment in digital and cloud initiatives still ongoing as business leaders seek to unlock greater efficiencies and innovation, these factors have had knock-on effects to cyber security.

• Nearly all (99%) expect identity-related compromise this year, stemming from economic-driven cutbacks, geopolitical factors, cloud adoption and hybrid working. A majority (58%) say this will happen as part of a digital transformation initiative such as cloud adoption or legacy app migration.
• Fuelling a new wave of insider threat concerns from, for example, disgruntled ex-staffers or exploitable leftover credentials, over two-thirds (68%) of organisations expect employee churn-driven cyber issues in 2023.
• Organisations will deploy 68% more SaaS tools in the next 12 months versus what they have now. Large proportions of human and machine identities have access to sensitive data via SaaS tools and, if not secured properly, can be a gateway for attack.

The 2023 threat landscape

• Report findings reveal upcoming areas of identity and cyber security concern this year.

• Ninety-three percent of security professionals surveyed expect AI-enabled threats to affect their organisation in 2023, with AI-powered malware cited as the number one concern.
• Nearly nine in 10 (89% – up from 73% in our 2022 report) of the organisations surveyed experienced ransomware attacks in the past year, and 60% of affected organisations reported paying-up twice or more to allow recovery, signalling that they were likely victims of double extortion campaigns.
• Sixty-seven percent of energy, oil and gas companies expect they would not be able to stop – or even detect – an attack stemming from their software supply chain (versus 59% for all organisations). Most respondents from this vertical (69%) also admit they hadn’t attempted to mitigate this through implementing better security in the last 12 months.

Expanded identity-centric attack surface

Identities – both human and machine – are at the heart of all, or nearly all, attacks. Nearly half of identities require sensitive access to perform their roles and are a favoured attack vector as a result. The report found that critical areas of the IT environment are inadequately protected and identifies the identity types that represent significant risk.

• Sixty-three percent say highest-sensitivity employee access is not adequately secured and greater numbers of machines have sensitive access than humans (45% vs 38%).
• Credential access remains the number one risk for respondents (cited by 35%), followed by defence evasion (31%), execution (28%), initial access (28%) and privilege escalation (27%).
• Business-critical applications, eg, revenue-generating customer-facing applications, enterprise resource planning (ERP) and financial management software, were named as the area of greatest risk due to the unknown and unmanaged identities that access them. Only 46% have identity security controls in place to secure business-critical apps.
• Third parties – partners, consultants and services providers – cited as number one riskiest human identity type. Sixty-nine percent say robotic process automation (RPA) and bot deployments are being slowed due to security concerns.

“The organisational desire to drive ever-greater business efficiencies and innovation remains undiminished, even as cutbacks in staffing and macro-economic forces are creating significant pressures,” said Matt Cohen, chief executive officer at CyberArk. “Business transformation, driven by digital and cloud initiatives, continues to result in a surge in new enterprise identities. While attackers are constantly innovating, compromising identities remains the most effective way to circumvent cyber defences and access sensitive data and assets. Such profound risk puts the issue of “who and what to trust” at the forefront of efforts to prevent cyber debt from compounding, and to build long-term cyber resilience.”

What can be done?

• Zero trust alignment: Identity security is critical for a robust zero trust implementation. Respondents said that identity management (79%) and endpoint security/device trust (78%) are “critical” or “important” to supporting zero trust.
• Strategies to secure sensitive access: The top three measures to improve identity security that organisations plan on introducing in 2023: Just-in-time access (cited by 32% of respondents); adopting least privilege principles to secure business-critical applications (32%); and automatic provisioning and de-provisioning of access (31%).
• Consolidate with trusted partners: Over half of respondents (51%) will look to trusted cyber security partners to help forecast and design solutions for future cyber risk in 2023.