Cyber debt levels reach tipping point

The tension between difficult economic conditions and the pace of technology innovation, including the evolution of AI, is influencing the growth of identity-led cybersecurity exposure, according to CyberArk.

The CyberArk’s report details how these issues – allied to an expected 240% growth in human and machine identities – have the potential to result in a compounding of ‘cyber debt’: where investment in digital and cloud initiatives outpaces cybersecurity spend, creating a rapidly expanding and unsecured identity-centric attack surface.

Cyber debt levels

In 2022 organizations experienced growing cyber debt, where security spend over the pandemic period lagged investment in broader digital business initiatives. In 2023, cyber debt levels are at risk of compounding, driven by an economic squeeze, elevated levels of staff turnover, a consumer spend downturn and an uncertain global environment.

With investment in digital and cloud initiatives still ongoing as business leaders seek to unlock greater efficiencies and innovation, these factors have had knock-on effects to cybersecurity.

99% expect identity-related compromise this year, stemming from economic-driven cutbacks, geopolitical factors, cloud adoption and hybrid working. 58% say this will happen as part of a digital transformation initiative such as cloud adoption or legacy app migration.

Fueling a new wave of insider threat concerns from – for example – disgruntled ex-staffers or exploitable leftover credentials, over two-thirds (68%) of organizations expect employee churn-driven cyber issues in 2023.

Organizations will deploy 68% more SaaS tools in the next 12 months vs. what they have now. Large proportions of human and machine identities have access to sensitive data via SaaS tools and if not secured properly can be a gateway for attack.

Identity and cybersecurity concerns in 2023

93% of security professionals surveyed expect AI-enabled threats to affect their organization in 2023, with AI-powered malware cited as the #1 concern.

Nearly nine in 10 of the organizations surveyed experienced ransomware attacks in the past year, and 60% of affected organizations reported paying-up twice or more to allow recovery, signaling that they were likely victims of double extortion campaigns.

67% of energy, oil and gas companies expect they would not be able to stop – or even detect – an attack stemming from their software supply chain (versus 59% for all organizations). Most respondents from this vertical (69%) also admit they hadn’t attempted to mitigate this through implementing better security in the last 12 months.

Critical areas of the IT environment

Identities – both human and machine – are at the heart of all, or nearly all, attacks. Nearly half of identities require sensitive access to perform their roles and are a favored attack vector as a result. The report found that critical areas of the IT environment are inadequately protected and identifies the identity types that represent significant risk.

• 63% say highest-sensitivity employee access is not adequately secured and greater numbers of machines have sensitive access than humans (45% vs. 38%).
• Credential access remains the #1 risk for respondents (cited by 35%), followed by defense evasion (31%), execution (28%), initial access (28%) and privilege escalation (27%).
• Business critical applications e.g., revenue-generating customer-facing applications, enterprise resource planning (ERP) and financial management software – were named as the area of greatest risk due to the unknown and unmanaged identities that access them. Only 46% have identity security controls in place to secure business-critical apps.
• Third parties – partners, consultants and services providers – cited as #1 riskiest human identity type.
• 69% say robotic process automation (RPA) and bot deployments are being slowed due to security concerns.

“The organizational desire to drive ever-greater business efficiencies and innovation remains undiminished, even as cutbacks in staffing and macro-economic forces are creating significant pressures,” said Matt Cohen, CEO, CyberArk.

“Business transformation, driven by digital and cloud initiatives, continues to result in a surge in new enterprise identities. While attackers are constantly innovating, compromising identities remains the most effective way to circumvent cyber defenses and access sensitive data and assets. Such profound risk puts the issue of “who and what to trust” at the forefront of efforts to prevent cyber debt from compounding, and to build long-term cyber resilience,” concluded Cohen.

What steps can be taken?

Zero trust alignment: Identity security is critical for a robust zero trust implementation. Respondents said that identity management (79%) and endpoint security/device trust (78%) are “critical” or “important” to supporting zero trust.

Strategies to secure sensitive access: The top three measures to improve identity security that organizations plan on introducing in 2023: Just-In-Time access (cited by 32% of respondents); adopting least privilege principles to secure business-critical applications (32%); and automatic provisioning and de-provisioning of access (31%).

Consolidate with trusted partners: 51% will look to trusted cybersecurity partners to help forecast and design solutions for future cyber risk in 2023.