IT security professionals rarely change strategies, says report

According to the CyberArk Global Advanced Threat Landscape Report 2018, 46% of IT security professionals stated they rarely change their security strategy substantially – even after experiencing a cyber attack. This level of cyber security inertia and failure to learn from past incidents puts sensitive data, infrastructure and assets at risk.

An overwhelming number of IT security professionals believe securing an environment starts with protecting privileged accounts – 89%  stated that IT infrastructure and critical data are not fully protected unless privileged accounts, credentials and secrets are secured.

IT security respondents also indicated that the proportion of users who have local administrative privileges on their endpoint devices increased from 62% in our 2016 survey to 87% in 2018 — a 25% jump and perhaps indicative of employee demands for flexibility trumping security best practices.

Legally-required basics

The survey findings suggest that security inertia has infiltrated many organisations, with an inability to repel or contain cyber threats – and the risks that this might result in – supported by other findings:

• 46% say their organisation can’t prevent attackers from breaking into internal networks each time it is attempted
• 36% report that administrative credentials were stored in Word or Excel documents on company PCs
• 50% admit that their customers’ privacy or PII (personally identifiable information) could be at risk because their data is not secured beyond the legally-required basics.

The automated processes inherent in cloud and DevOps mean privileged accounts, credentials and secrets are being created at a prolific rate. If compromised, these can give attackers a crucial jumping-off point to achieve lateral access to sensitive data across networks, data and applications or to use cloud infrastructure for illicit crypto mining activities. Organisations increasingly recognise this security risk, but still, have a relaxed approach toward cloud security.

Built-in security capabilities

The survey found that:

• Nearly 50% of organisations have no privileged account security strategy for the cloud
• More than 68% defer on cloud security to their vendor, relying on built-in security capabilities
• 38% stated their cloud provider doesn’t deliver adequate protection

Overcoming cyber security inertia necessitates it becoming central to organisational strategy and behavior, not something that is dictated by competing for commercial needs. According to the survey:

• 86% of IT security professionals feel security should be a regular board-level discussion topic
• 44% said they recognise or reward employees who help prevent an IT security breach, increasing to nearly 74% in the USA
• Just 8% of companies continuously perform Red Team exercises to uncover critical vulnerabilities and identify effective responses.

Today’s attacks

Matthew Brazier, regional director at CyberArk: “Attackers are constantly evolving their tactics, but by rarely changing their security strategy to keep up, organisations are making the attackers’ jobs that much easier.

“Organisations need to be more proactive in securing themselves against today’s attacks. This requires understanding the growing privileged account security attack surface and how it puts companies at risk. Strong leadership and accountability are required to overcome this inertia, as well as a clearly communicated security strategy that takes into account the attacker’s mindset.”

The survey was conducted by Vanson Bourne among 1,300 IT security decision makers, DevOps and app developer professionals and line of business owners, across seven countries worldwide.

Written from press release by Leah Alger