After a Cyber Attack: Do Companies Change?
Nearly 50 percent of organizations fail to make substantive changes to their security strategy following a cyber attack, a new survey of security professionals has found. Blame “cyber security inertia,” said CyberArk in its new Global Advanced Threat Landscape Report 2018.
CyberArk isn’t just calling out the hands-off approach but also labeling it as a failure to learn from past attacks that makes protecting sensitive data, infrastructure and assets more problematic. What’s passivity in the best case and neglect in the worst reflects a lack of understanding that the expanding privileged account security attack surface puts an organization at risk, the enterprise security provider said.
It would be bad enough if cyber inertia was isolated to a few organizations but it’s widespread, CyberArk said. When combined with other findings the study produced, the negative impact of cyber inertia to a company’s overall security posture can be lethal. Specific security weaknesses the study uncovered include:
- 46 percent of organization say they can’t prevent attackers from breaking into internal networks each time it is attempted.
- 36 percent report that administrative credentials were stored in Word or Excel documents on company PCs.
- 50 percent admit that their customers’ privacy or personally identifiable information could be at risk because their data is not secured beyond the legally-required basics.
“Attackers continue to evolve their tactics, but organizations are faced with cyber security inertia that is tipping the scales in favor of the attacker,” said Adam Bosnian, CyberArk’s global business development executive vice president.
Perhaps the most important data the study produced related to securing privileged accounts, with 89 percent of the study’s respondents indicating that IT infrastructure and critical data are not fully protected unless privileged accounts, credentials and secrets are secured. As a case in point, CyberArk pointed to automated processes inherent in the cloud and DevOps. If privileged accounts, credentials and secrets are compromised, attackers can gain a crucial “jumping-off point” to access sensitive data across networks, data and applications, CyberArk said.
While organizations have increasingly recognized the privileged accounts risk, many still have not with done so cloud security. For example, 49 percent of the survey respondents have no privileged account security strategy for the cloud, 68 percent defer on cloud security to their vendor, relying on built-in security capabilities, and 38 percent said their cloud provider doesn’t deliver adequate protection.
How can companies overcome cyber security inertia? Look to recasting an organizational strategy and adopt behaviors that aren’t influenced by the competitive landscape. Toward that end, the study’s data provides some direction:
- 86 percent of IT security pros believe security should be a regular board-level topic.
- 44 percent said they recognize or reward employees who help prevent an IT security breach, increasing to 74 percent in the U.S.
- Only eight percent of companies continuously perform Red Team exercises to uncover critical vulnerabilities and identify effective responses.
“There needs to be a greater urgency in building cyber security resilience to today’s attacks,” said Bosnian. “This starts by understanding the expanding privileged account security attack surface and how it puts an organization at risk. Successfully battling inertia requires strong leadership, accountability, clearly defined and communicated security strategies, and the ability to adopt a ‘think like an attacker’ mindset.”
About the study itself, it is CyberArk’s 11th in the series, involving 1,300 IT security decision makers, DevOps and app developer pros and line of business owners in seven countries worldwide. Those respondents listed the primary cyber security threats they face (in descending order):
- Targeted phishing attacks: 56 percent.
- Insider threats: 51 percent.
- Ransomware or malware: 48 percent.
- Unsecured privileged accounts: 42 percent.
- Unsecured data stored in the cloud: 41 percent.
- Proportion of users with local administrative privileges on their endpoint devices: 87 percent, up 25 percent from the 62 percent recorded in CyberArk’s 2016 survey.