Preparing for what’s next: Innovation also brings cyber security risk
By David Higgins, Technical Director, CyberArk
Delivering strong security while at the same time not getting in the way of innovation, automation and digital transformation is a constant challenge, so it’s no wonder cyber security leaders feel as if their time is primarily spent reacting to the latest crisis each day brings.
CIOs are spearheading efforts to deploy technologies that enable cloud migration, automating processes, delivering new revenue-generating applications to market faster than competitors and enabling mobile, social customer experiences. And with every innovation comes a certain amount of risk.
These threat vectors are unpredictable and difficult to prepare for. What’s more, the job of securing systems and data has become even more daunting as many employees work from home full-time or bounce back and forth between their corporate and home offices.
The combination of all the above has created a veritable playground for attackers, who are using their own advanced tools to launch attacks that can potentially be devastating for businesses. Yet it remains difficult for security leaders to quantify the risk in anything more than an abstract sense.
What is the risk? The data doesn’t lie
Recent research illustrates the security risks that the work-from-home model represents. A survey of 3 000 remote office workers and IT professionals, conducted by an independent research agency and commissioned by CyberArk, found that work-from-home habits such as password re-use and letting family members use corporate devices is putting critical business systems and sensitive data at risk.
The survey showed that 77% of remote employees are using unmanaged, insecure bring-your-own-device (BYOD) products to access corporate systems. Two-thirds of employees have adopted communication and collaboration tools such as Zoom and Microsoft Teams, both of which have been recently subjected to high-profile reporting of security vulnerabilities.
In addition, a large majority of home workers (93%) have re-used passwords across applications and devices; 29% admitted that they let other members of their household use their corporate devices for other activities; and 37% insecurely save passwords in browsers on their corporate devices.
Where to prioritise
While there is a seemingly endless list of risk hotspots for organisations to address, the vast majority of attacks today follow the exact same pattern; attackers find privileged credentials and use them to move laterally to gain access to an organisation’s most valuable assets. More than 80% of breaches tied to hacking involve brute force or the use of lost or stolen credentials, according to the 2020 Verizon Data Breach Investigations Report. Privileged credentials are particularly valuable to the attacker as they elevate the level of access for the attacker and increase the amount of damage they can do or information they can get to.
Organisations can’t stop attacks if they don’t secure privileged access everywhere: in the cloud, on endpoint devices, in applications, within automated processes, and throughout the DevOps pipeline. And the security of privileged access needs to encompass a company’s remote employees, as well as all its supply chain partners and their home-based workers.
How to prioritise
What complicates the issue of securing privileged access, however, is defining exactly what a privileged user is today. In the past, the definition was relatively simple and straightforward: a privileged user was a human being, usually a systems administrator, who had elevated access to critical systems to perform maintenance or other tasks.
But increased automation and integration across IT infrastructure has created situations that require applications and machines to have similar elevated access. This non-human access is often overlooked by organisations.
As organisations move more IT resources to hybrid and multi-cloud environments, and accelerate automation and digital transformation initiatives, the number of privileged credentials will grow exponentially, and so will the risks. In modern IT environments, all identities can become privileged under certain conditions, based on the systems, environments, applications or data they are accessing or the types of operations they are performing.
Because virtually any user – human or non-human – can become a privileged user at any time, managing and protecting access is now a more critical security issue than ever. Here are some other factors contributing to the explosion of privileged access and the increased risk:
The rising adoption of DevOps, the Internet of things (IOT) and use of cloud services means far more possible access points.
Business users in departments like HR, finance and sales operations are often granted high levels of access to keep critical processes up to date and to maintain business continuity. That access must be managed, monitored and controlled the same as for traditional privileged users.
Critical business processes handle some of the most sensitive data within organisations. They can include the systems and applications that handle customer data, business forecasting, intellectual property and other high value assets.
All these factors and others mean privileged access management must be a top cyber security and business priority. Privileged access management solutions deliver automated, centralised and proactive controls that can provide peace of mind as organisations continue to operate in these dynamic environments and prepare for whatever challenges might come.
To learn more, download a complimentary copy of the Gartner 2020 Magic Quadrant for Privileged Access Management: https://www.cyberark.com/gartner-mq-pam/
 Gartner, Magic Quadrant for Privileged Access Management, FelixGaehtgens, Abhyuday Data, Michael Kelley, 4 August 2020
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organisation and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.