Sidelining cybersecurity-boosting efforts in favor of profits and growth can lead to severe vulnerabilities that end up destroying a brand: survey

In a global survey of 1,750 IT security decision makers in large firms (>500 employees) in the US, the UK, France, Germany, Japan, Italy, Spain, Brazil, Mexico, Israel, Singapore and Australia, on identity security and the threat landscape, 84% of senior security professionals in Asia stated that cybersecurity had taken a back seat in the last year—in favor of accelerating other digital business initiatives.

Additionally, data in the survey points to the rise of human and machine identities—often running into the hundreds of thousands per firm—that could drive an accumulation of identity-related “cybersecurity debt” that renders organizations in the survey more vulnerable.

If these digital identities go unmanaged and unsecured, they can represent significant cybersecurity risk, as far as the survey data goes:

  • 77% of non-humans or bots had access to sensitive data and assets
  • The average staff member had greater than 30 digital identities
  • Machine identities outweighed human identities by a factor of 59x on average
  • 91% of respondents stored secrets in multiple places across DevOps environments, while 87% indicated that developers typically had more privileges than necessary for their roles
  • Credential access was the number one area of risk for respondents (43%), followed by defense evasion (34%), privilege escalation (32%) and execution (32%)
  • 77% of respondents had experienced ransomware attacks in the past year: two each on average
  • 81% of respondents indicated that their organization was susceptible to carefully crafted attacks such as a business email compromise and spear phishing
  • 74% of respondents had done nothing to secure their software supply chain after the global high profile supply chain attacks; 75% indicated that a compromise of a software supplier would mean an attack on their organization could not be stopped

Paying up for cybersecurity debts

The survey data points to the trend last year that security programs and tools had grown but not in tandem with the expansion of efforts to drive operations and support growth.

  • 84% of respondents agreed to prompts that their organization prioritized maintaining business operations over ensuring robust cyber security in the last 12 months
  • 48% of respondents had identity security controls in place for their business-critical applications

This disparity causes cybersecurity debt created through improper/insufficient management and securing of access to sensitive data and assets. The resultant escalation of cyber risks is compounded by geopolitical tensions that precipitate more cyber agendas and impose a multiplier effect on cyber risks.

According to Udi Mokady, founder, Chairman and CEO, CyberArk, the firm that commissioned the survey: “The past few years have seen spending on digital transformation projects skyrocket to meet the demands of changed customer and workforce requirements. The combination of an expanding attack surface, rising numbers of identities, and behind-the-curve investment in cybersecurity—what we call Cybersecurity Debt—is exposing organizations to even greater risks that are already elevated by ransomware threats and vulnerabilities across the software supply chain. This threat environment requires a security-first approach capable of outpacing attacker innovation.”