Only half of organisations believe they can stop cyber attacks
CyberArk report also finds agility and automation initiatives may lead to ‘credential creep’ and increased privilege-related risk.
According to a new global survey from CyberArk (NASDAQ: CYBR), 50% of organisations believe attackers can infiltrate their networks each time they try. As organisations increase investments in automation and agility, a general lack of awareness about the existence of privileged credentials – across DevOps, robotic process automation (RPA) and in the cloud – is compounding risk.
According to the CyberArk Global Advanced Threat Landscape 2019 Report, less than half of organisations have a privileged access security strategy in place for DevOps, IOT, RPA and other technologies that are foundational to digital initiatives. This creates a perfect opportunity for attackers to exploit legitimate privileged access to move laterally across a network to conduct reconnaissance and progress their mission.
Preventing this lateral movement is a key reason why organisations are mapping security investments against key mitigation points along the cyber kill chain, with 28% of total planned security spend in the next two years to focus on stopping privilege escalation and lateral movement.
Proactive investments to reduce risk are critical, given what this year’s survey respondents cite as their top threats:
- 78% identified hackers in their top three greatest threats to critical assets, followed by organised crime (46%), hacktivists (46%) and privileged insiders (41%).
- 60% of respondents cited external attacks, such as phishing, as one of the greatest security risks currently facing their organisation, followed by ransomware (59%) and shadow IT (45%).
Security barriers to digital transformation and the privilege priority
The survey found that, while organisations view privileged access security as a core component of an effective cyber security programme, this understanding has not yet translated to action for protecting foundational digital transformation technologies.
Eighty-four percent state that IT infrastructure and critical data are not fully protected unless privileged accounts, credentials and secrets are secured.
Despite this, only 49% have a privileged access security strategy in place for protecting business-critical applications and cloud infrastructure respectively, with even fewer having a strategy for DevOps (35%) or IOT (32%).
Further, only 21% understood that privileged accounts, credentials and secrets exist in containers, 24% understood that they exist in source code repositories, and 30% understood that they are present in privileged applications and processes such as RPA.
“Organisations are showing increasing understanding of the importance of mitigation along the cyber kill chain and why preventing credential creep and lateral movement is critical to security,” said Adam Bosnian, executive vice-president, global business development, CyberArk. “But this awareness must extend to consistently implementing proactive cyber security strategies across all modern infrastructure and applications, specifically reducing privilege-related risk in order to recognise tangible business value from digital transformation initiatives.”
Global compliance readiness
According to the survey, a surprising 41% of organisations would be willing to pay fines for non-compliance with major regulations, but would not change security policies even after experiencing a successful cyber attack. On the heels of more than $300 million in General Data Protection Regulation (GDPR) fines being levied on global organisations for data breaches, this mindset is not sustainable.
The survey also examined the impact of major regulations around the world:
GDPR: Less than half (46%) are completely prepared for breach notification and investigation within the mandated 72-hour period.
Australia’s Data Breach Notification Law: 62% of Australian respondents reported that they were completely prepared to comply with the entirety of the statute, which came into force in February 2019.
California Consumer Privacy Act (CCPA): Only 37% are ready for this legislation to go into effect in 2020; 39% are actively working to meet deadline requirements.
CyberArk Advanced Threat Landscape 2019 Report
The CyberArk Global Advanced Threat Landscape 2019 annual report is the 12th in the series. The survey was conducted by Vanson Bourne among 1 000 IT security decision-makers and C-level executives across seven countries worldwide: the US, UK, France, Germany, Israel, Singapore and Australia. To download a copy of the report, please visit: http://www.cyberark.com/TL19.
CyberArk (NASDAQ: CYBR) is the global leader in privileged access security, a critical layer of IT security to protect data, infrastructure and assets across the enterprise, in the cloud and throughout the DevOps pipeline. CyberArk delivers the industry’s most complete solution to reduce risk created by privileged credentials and secrets. The company is trusted by the world’s leading organizations, including more than 50 percent of the Fortune 500, to protect against external attackers and malicious insiders. A global company, CyberArk is headquartered in Petach Tikva, Israel, with U.S. headquarters located in Newton, Mass. The company also has offices throughout the Americas, EMEA, Asia Pacific and Japan. To learn more about CyberArk, visit www.cyberark.com, read the CyberArk blogs or follow on Twitter via @CyberArk, LinkedIn or Facebook.