Computerwekkly.com 28 Feb 2018 Warwick Ashford Security Editor
Organisations are failing to learn from cyber attacks, and lax security practices are leaving organisations worldwide open to damaging cyber attacks, a report reveals
There is a worrying lack of action by businesses to improve security following an attack across the global technology industry, according to the latest cyber threat report by privileged account security firm CyberArk.
The report also highlights poor practices concerning cloud and endpoint security, and from security professionals themselves, putting sensitive data, infrastructure, assets and even employers at risk.
Every organisation has something of value to a cyber attacker, and greater investments in cloud technologies and DevOps processes mean the attack surface is expanding exponentially, and attackers continue to target and exploit privileged accounts, credentials and secrets to accomplish their goals, the report said.
Nearly half (46%) of IT security professionals rarely change their security strategy substantially, even after experiencing a cyber attack, according to a CyberArk-commissioned poll of 1,300 IT security decision makers, developers and line of business owners in seven countries.
This level of cyber security inertia and failure to learn from past incidents puts sensitive data, infrastructure and assets at risk, the CyberArk report said.
The survey also revealed that while 89% of IT security professionals believe securing an environment starts with protecting privileged accounts and more than four in 10 cite it as a top security risk, more than a quarter (28%) are not putting this knowledge into action.
Respondents said the greatest cyber security threats they currently face are targeted phishing attacks (56%), insider threats (51%), ransomware or other malware (48%), unsecured privileged accounts (42%), and unsecured data stored in the cloud (41%).
Demands for flexibility
The proportion of users who have local administrative privileges on their endpoint devices increased from 62% in 2016 to 87% in 2018, a 25% increase the report said could indicate that employee demands for flexibility have been allowed to trump security best practices.
The survey findings suggest security inertia has infiltrated many organisations, with an inability to repel or contain cyber threats and the resultant impact on the business.
This inertia is reflected in the fact that 46% of respondents said their organisation cannot prevent attackers from breaking into internal networks every time it is attempted, 36% said that administrative credentials are stored in Word or Excel documents on company PCs, and half admitted their customers’ privacy or PII (personally identifiable information) could be at risk because their data is not secured beyond the legally-required basics.
The report notes that the automated processes inherent in cloud and DevOps mean that privileged accounts, credentials and secrets are being created at a prolific rate. If compromised, the report said these can give attackers a crucial jumping-off point to achieve lateral access to sensitive data across networks, data and applications or to use cloud infrastructure for illicit crypto mining activities.
The survey shows that while organisations increasingly recognise this security risk, they still have a relaxed approach towards cloud security, with half of organisations polled having no privileged account security strategy for the cloud and more than two-thirds (68%) relying on built-in security capabilities.
While cloud adoption has increased dramatically in recent years, the report said there is still a limited understanding of the challenges of securing cloud workloads in IaaS (infrastructure as a service) and PaaS (platform as a service) environments.
“There are still gaps in the understanding of who is responsible for security in the cloud, even though the public cloud suppliers are very clear that the enterprise is responsible for securing cloud workloads. Additionally, few understand the full impact of the unsecured secrets that proliferate in dynamic cloud environments and automated processes,” the report said.
Overcoming cyber security inertia, the report said, requires cyber security to become central to organisational strategy and behaviour, not something that is dictated by competing commercial needs.
According to the survey, 86% of IT security professionals feel security should be a regular board-level discussion topic, and 44% said they recognise or reward employees who help prevent an IT security breach, increasing to nearly three quarters (74%) in the US.
However, only 8% of companies continuously perform red team exercises to uncover critical vulnerabilities and identify effective responses. Investing in regular red team exercises could help determine where to focus efforts and prioritise risk reduction, the report said.
Treating the risk with urgency
Rich Turner, European vice-president at CyberArk, said cyber attackers are often able to penetrate traditional perimeter defences when targeting organisations that have not moved with the times.