According to a new global survey from CyberArk, 45 percent of local organisations believe attackers can infiltrate their networks each time they try. As organisations increase investments in automation and agility, a general lack of awareness about the existence of privileged credentials – across DevOps, robotic process automation (RPA) and in the cloud– is compounding the risk.
According to the CyberArk Global Advanced Threat Landscape 2019 Report for Singapore, less than half of organisations have a privileged access security strategy in place for DevOps, IoT and other technologies that are foundational to digital initiatives. This creates a perfect opportunity for attackers to exploit legitimate privileged access to move laterally across a network to conduct reconnaissance and progress their mission.
Preventing this lateral movement is a key reason why organisations are mapping security investments against key mitigation points along the cyber kill chain, with 30 percent of total planned security spend in the next two years to focus on stopping privilege escalation and lateral movement.
Proactive investments to reduce risk are critical given what this year's survey respondents cite as their top threats:
- 79 percent identified hackers in their top three greatest threats to critical assets, followed by organised crime (66 percent), privileged insiders (44 percent) and hacktivists (41 percent).
- · 60 percent of respondents cited external attacks, such as phishing, as one of the greatest security risks currently facing their organisation, followed by ransomware (62 percent) and Shadow IT (57 percent).
Security Barriers to Digital Transformation and the Privilege Priority
The survey found that while local organisations view privileged access security as a core component of an effective cybersecurity program, this understanding has not yet translated to action for protecting foundational digital transformation technologies.
- 81 percent state that IT infrastructure and critical data are not fully protected unless privileged accounts, credentials and secrets are secured.
- Despite this, only 56 percent have a privileged access security strategy in place for protecting business-critical applications and cloud infrastructure respectively, with even fewer having a strategy for DevOps (28 percent) or IoT (28 percent).
- Further, only 30 percent understood that privileged accounts, credentials and secrets exist in containers, 32 percent understood that they exist in source code repositories and 42 percent understood that they are present in privileged applications and processes such as RPA.
"While local organisations are recognising the necessity to increase digital transformation efforts by investing in technology to secure the cloud, IoT, and automation, these findings point to the need to commit more to tighten data security beyond just meeting compliance regulations such as the Personal Data Protection Act and paying hefty fines",said Vincent Goh, Senior Vice President, Asia Pacific and Japan, CyberArk.
"The results show that businesses don't have a high degree of confidence in their ability to defend themselves from cyber-attacks. With nearly half of respondents being impacted by a cyber attack in the past 36 months, business and technology leaders must take on a security-first mindset, implementing robust cyber strategies to prioritise the protection of critical assets and data."
Global Compliance Readiness
According to the survey, a surprising 41 percent of organisations would be willing to pay fines for non-compliance with major regulations, but would not change security policies even after experiencing a successful cyber attack. On the heels of more than USD $300M in General Data Protection Regulation (GDPR) fines being levied on global organisations for data breaches, this mindset is not sustainable.
The survey also examined the impact of major regulations around the world:
- · GDPR: Less than half of the local respondents (44 percent) are completely prepared for breach notification and investigation within the mandated 72 hour period.
- · California Consumer Privacy Act (CCPA): Only 37 percent of local respondents are ready for this legislation to go into effect in 2020; 50 percent are actively working to meet deadline requirements.