Businesses in the UK have faced – to put it mildly - unprecedented challenges over the past two years, both in severity and variety. Not only have the pandemic and Brexit combined to force them to rapidly pivot in how and where they operate, but the threat landscape has become even more testing.
David Higgins, Senior Director, Field Technology Office at CyberArk.
Vulnerabilities have been highlighted in recent years by digital supply chain breaches such as the SolarWinds attack along with other major attacks such as Codecov and Kaseya, which ripped through software supply chains in frightening succession, causing huge disruption globally by exploiting weak links in code.
In fact, CyberArk research found that, over the past year, 70% of organizations have experienced ransomware attacks, with an average of two per company, while 71% suffered a software supply chain attack that resulted in data loss or a compromise of assets.
Even so, shockingly 62% of organizations have done nothing to secure their software supply chain since these headline-making attacks, with 64% admitting that if a supplier was compromised, they wouldn’t be able to stop an attack on their own organization.
This is a pressing issue because, instead of addressing these vulnerabilities, investing in security has taken a back seat in favor of prioritizing digital initiatives to support competitiveness and growth.
The explosion of digital initiatives – and with them, identities
Many of these digital initiatives have been a necessary response to the health and trading environment. Businesses have had to pivot quickly to the cloud, prioritize enabling remote and hybrid working and accelerate the introduction of new digital services for customers. Understandably, the boardroom’s focus has been on agility, resilience, profitability and survival.
But it’s important to be aware that every major IT initiative results in the growth in digital interactions between people, applications and processes. Each of these connections, whether human or machine, created by a digital identity. This rush of initiatives has led to an explosion in digital identities – easily running to the hundreds of thousands per organization - and these figures will continue to grow.
The existence of more digital identities is not, per se, a cause for concern. However, in their hurry to roll out these projects, organizations haven’t always properly secured these identities. This creates a cost: the build-up of cybersecurity debt.
Cybersecurity debt
Simply put, cybersecurity debt is when security programs and tools don’t keep pace with digital initiatives, exposing the business to increased security risks.
It’s critical that the new human and machine identities being created are managed and secured correctly. This is because the majority of them, according to our research, access sensitive data and assets in order to perform their roles.
And yet, less than half of organizations currently have identity security controls in place for their business-critical applications, or their cloud services, while the vast majority have secrets and credentials scattered throughout their DevOps environment. Unsecured, unmanaged credentials are exactly what attackers target. So, while security teams struggle to keep up with the speed of digital acceleration in the business, vulnerabilities grow.
The turbulence of the last few years meant many businesses had to react quickly - understandably so. However, now we’re in this ‘new / next normal’ it’s imperative that businesses take stock of, and respond to, growing levels of identity-related cybersecurity debt. Otherwise, they’re leaving a door wide open for cybercriminals to simply walk through.
Areas of heightened risk
Poorly protected credentials are the number one perceived area of risk for organizations, as they’re a primary means for attackers to gain entry to business systems. From there cybercriminals can steal data or hold it to ransom, disrupt business operations or go on to gain more powerful privileged credentials that give access to even more valuable business assets.
DevOps, CI/CD pipelines or other development environments represent another area where cybersecurity debt needs to be addressed. This is because 87% of organizations store secrets such as passwords and encryption keys in multiple places across DevOps environments. In fact, only 3% use a centralized secrets management platform to manage credentials used by apps.
In addition, 80% of security professionals agree that developers currently have more privileges than they need, which also opens up businesses to further unnecessary risk.
So, what can be done?
There’s no silver bullet to counteract cybersecurity debt caused by digital acceleration. However, there are simple steps that can be taken to improve the management of security, such as establishing zero trust principles. This is an approach that demands that any person or machine trying to connect to an organization's system must first be verified before access is granted.
Per our research, the top three strategic initiatives that CISOs and CIOs cites to implement zero trust principles are: workload security; identity security tools; and data security. Businesses have had to be very reactive over the last few years, but now is the time to take back control of their security and begin to pay down the cybersecurity debt they’ve accrued. This means extending zero trust “never trust; always verify” thinking and protections across the IT environment: from business applications and distributed workforces to hybrid cloud workloads and throughout the DevOps lifecycle.
