CyberArk study: how tension between difficult economic conditions and the pace of technology innovation, including the evolution of AI, is influencing the growth of identity-led cybersecurity exposure.

The new global CyberArk 2023 Identity Security Threat Landscape Report is based on the findings of a worldwide survey across private and public sector organizations of 500 employees and above. It was conducted by market researchers Vanson Bourne among 2,300 cybersecurity decision makers based in Singapore, Australia, India, Japan, Taiwan, Brazil, Canada, Mexico, the US, France, Germany, Italy, the Netherlands, Spain, the UK, and Israel.

With 700 respondents in Asia Pacific and Japan, the study details how these issues have the potential to result in a compounding of ‘cyber debt’: where investment in digital and cloud initiatives outpaces cybersecurity spend, creating a rapidly expanding and unsecured identity-centric attack surface.

Economic squeeze and digital acceleration puts organizations at risk

In 2022, cybersecurity teams in Asia Pacific and Japan (APJ) experienced growing cyber debt, where security spend over the pandemic period lagged behind investment in broader digital business initiatives. In 2023, levels of cyber debt are at risk of compounding, driven by an economic squeeze, elevated levels of staff turnover, a downturn in consumer spend and an uncertain global environment.

With investment in digital and cloud initiatives still ongoing as business leaders seek to unlock greater efficiencies and innovation, these factors have had a knock-on effect on cybersecurity:

    • Regionally, 99.9% of APJ organizations expect identity-related compromise this year, stemming from economic-driven cutbacks, geopolitical factors, cloud adoption and hybrid working. 63% say this will happen as part of a digital transformation initiative such as cloud adoption or legacy app migration.
    • Fueling a new wave of insider threat concerns from – for example – disgruntled ex-staffers or exploitable leftover credentials, 69% of APJ organizations expect employee churn-driven cyber issues in 2023. 73% of cybersecurity experts across the region agree that they are concerned about loss of confidential information stemming from employees, ex-employees, and third-party identities.
    • APJ organizations will deploy 70% more SaaS tools in the next 12 months versus what they have now. Large proportions of human and machine identities have access to sensitive data via SaaS tools and if not secured properly can be a gateway for attacks.

The 2023 attack surface

Findings also reveal upcoming areas of identity and cybersecurity concern this year:

    • Against a backdrop of the growing popularity and fast adoption of generative AI, 98% of APJ cybersecurity experts indicated that their organisations have deployed AI tools to augment and enhance Identity Security functionality. The three key areas include:
      1. Automation and flexibility
      2. Addressing cyber skill shortage/lack of resources
      3. Breach detection and prevention
    • 94% of cybersecurity experts across the APJ region expect a negative impact from AI tools and services in 2023, with the biggest concern being chatbot security vulnerabilities that include potential employee impersonation, ransomware, malware and phishing.
    • 88% of the organizations surveyed experienced ransomware attacks in the past year. 69% of cybersecurity experts from APJ indicated that in the last 12 months, they paid ransom to allow recovery at least once.
    • 61% of local companies expect that they would not be able to stop – or even detect – an attack stemming from software supply chain.

Expanded identity-centric attack surface

Identities – both human and machine – are at the heart of nearly all attacks. Almost half of the identities require sensitive access to perform their roles and are a favoured attack vector as a result. The report found that critical areas of the IT environment are inadequately protected:

    • 62% say highest-sensitivity employee access is not adequately secured and greater numbers of machines have sensitive access than humans (39% vs. 45%).
    • In APJ, credential access remains the #1 risk for respondents (cited by 36%), followed by defence evasion (35%), impact (30%), initial access (29%) and execution (28%).
    • Business critical applications e.g. revenue-generating customer-facing applications, enterprise resource planning (ERP) and financial management software – are named as areas of greatest risk due to the unknown and unmanaged identities that access them. Only 47% have identity security controls in place to secure business-critical apps.
    • Third parties – partners, consultants and services providers – are cited as #1 riskiest human identity type.