A new report by a privileged access management firm (PAM) warns that IT security is worsening as corporations remain bogged down on deciding what to do and what it will cost.
Delinea, formerly Thycotic and Centrify, on Tuesday released the research based on 2,100 security decision-makers internationally, revealing that 84% of organizations experienced an identity-related security breach in the past 18 months.
This revelation comes as enterprises continue to grapple with expanding entry points and more persistent and advanced attack methods from cybercriminals. It also highlights differences between the perceived and actual effectiveness of security strategies. Despite the high percentage of admitted breaches, 40% of respondents believe they have the right strategy in place.
Numerous studies found credentials are the most common attack vector. Delinea wanted to know what IT security leaders are doing to reduce the risk of an attack. The study focused on learning about organizations’ adoption of privileged access management as a security strategy.
Key findings of the report include:
- 60% of IT security decision-makers are held back from delivering on IT security strategy due to a host of concerns;
- Identity security is a priority for security teams, but 63% believe it is not understood by executive leaders;
- 75% of organizations will fall short of protecting privileged identities because they refuse to get the support they need.
ID Security a Priority, But Board Buy-in Critical
Lagging corporate commitment to actually take action is the growing policy many executives seem to be following regarding IT efforts to provide better breach prevention.
Many organizations are hungry to make a change, but three quarters (75%) of IT and security professionals believe those promises of change will fail to protect privileged identities due to corporate lack of support, according to researchers.
The report notes that 90% of respondents said their organizations fully recognize the importance of identity security in enabling them to achieve their business goals. Almost the same percentage (87%) said it is one of the most important security priorities for the next 12 months.
However, a lack of budget commitment and executive alignment resulted in a continuing stall on improving IT defenses. Some 63% of respondents said that their company’s board still does not fully understand identity security and the role it plays in enabling better business operations.
“While the importance of identity security is acknowledged by business leaders, most security teams will not receive the backing and budget they need to put vital security controls and solutions in place to reduce major risks,” said Joseph Carson, chief security scientist and advisory CISO at Delinea.
“This means that the majority of organizations will continue to fall short of protecting privileges, leaving them vulnerable to cybercriminals looking to discover privileged accounts and abuse them,” he added.
Lacking Policies Puts Machine IDs at Great Risk
Companies have a long road ahead to protect privileged identities and access, despite corporate leaders’ good intentions. Less than half (44%) of the organizations surveyed have implemented ongoing security policies and processes for privileged access management, according to the report.
These missing security protections include password rotation or approvals, time-based or context-based security, and privileged behavior monitoring such as recording and auditing. Even more worryingly, more than half (52%) of all respondents allow privileged users to access sensitive systems and data without requiring multifactor authentication (MFA).
The research brings to light another dangerous oversight. Privileged identities include humans, such as domain and local administrators. It also includes non-humans, such as service accounts, application accounts, code, and other types of machine identities that connect and share privileged information automatically.
However, only 44% of organizations manage and secure machine identities. The majority leave them exposed and vulnerable to attack.
Source: Delinea global survey of cybersecurity leaders
Cybercriminals look for the weakest link, noted Carson. Overlooking ‘non-human’ identities — particularly when these are growing at a faster pace than human users — greatly increases the risk of privilege-based identity attacks.
“When attackers target machine and application identities, they can easily hide,” he told TechNewsWorld.
They move around the network to determine the best place to strike and cause the most damage. Organizations need to ensure machine identities are included in their security strategies and follow best practices when it comes to protecting all their IT ‘superuser’ accounts which, if compromised, could bring the entire business to a halt, he advised.
Security Gap Growing Bigger
Perhaps the most important finding from this latest research is that the security gap continues to get larger. Many organizations are on the right path to securing and reducing cyber risks to the business. They face the challenge that large security gaps still exist for attackers to gain an advantage. This includes securing privileged identities.
An attacker only needs to find one privileged account. When businesses still have many privileged identities left unprotected, such as application and machine identities, attackers will continue to exploit and impact businesses’ operations in return for a ransom payment.
The good news is that organizations realize the high priority of protecting privileged identities. The sad news is that many privileged identities are still exposed as it is not enough just to secure human privileged identities, Carson explained.
The security gap is not only increasing between the business and attackers but also the security gap between the IT Leaders and the business executives. While in some industries this is improving, the issue still exists.
“Until we solve the challenge on how to communicate the importance of cybersecurity to the executive board and business, IT leaders will continue to struggle to get the needed resources and budget to close the security gap,” he warned.
One of the main challenges for securing identities is that mobility and cloud environment identities are everywhere. This increases the complexity of securing identities, according to Carson.
Businesses still attempt trying to secure them with the existing security technologies they already have today. But this results in many security gaps and limitations. Some businesses even fall short by trying to checkbox security identities with simple password managers, he said.
“However, this still means relying on business users to make good security decisions. To secure identities, you must first have a good strategy and plan in place. This means understanding the types of privileged identities that exist in the business and using security technology that is designed to discover and protect them,” he concluded.