5 minute read
Research highlights IT security teams are ‘running to keep up’
New global research reveals 84 percent of organisations – more in New Zealand, Australia, Singapore and Malaysia – experienced an identity-related security breach in the past 18 months.
According to the research, three quarters of organisations will fall short of protecting privileged identities because they won’t get the support they need, and that identity security is a priority for security teams, but 63 percent believe it is not well understood by executive leaders
Delinea, a leading provider of Privileged Access Management (PAM) solutions announced on 27 July findings from a global survey of 2,100 IT Security Decision Makers (ITSDMs).
The survey found that 60 percent of respondents believe their overall security strategy does not keep pace with the threat landscape, and that they are either lagging behind (20 percent), treading water (13 percent), or merely running to keep up (27 percent).
Delinea conducted its research during June 2022 to understand what IT security leaders are doing to reduce the risk of a privileged account or identity-based attack. An online survey of IT and security professionals in 23 countries – including New Zealand, Australia, Singapore and Malaysia –polled attitudes towards identity security and the protection of privileged identities.
The report also highlights differences between the perceived and actual effectiveness of security strategies. While 40 percent of global respondents believe they have the right strategy in place, 84 percent of organisations reported that they have experienced an identity-related breach or an attack using stolen credentials during the previous year and a half.
In New Zealand and Australia, only 33 percent of respondents believe they have the right strategy in place, with 96 percent having experienced a breach or attack. In Singapore and Malaysia, on the other hand, 47 percent believe they have the right strategy in place, even though 88 percent had experienced a breach or attack.
Identity security is a priority, yet board buy-in is critical
Promisingly, many organisations are hungry to make a change, particularly when it comes to protecting identities. In fact, 90 percent of respondents state that their organisations fully recognise the importance of identity security in enabling them to achieve their business goals, and 87 percent say that it is one of the most important security priorities for the next 12 months.
However, three quarters (75 percent) of IT and security professionals also believe that they’ll fall short of protecting privileged identities because they won’t get the support they need. This is largely due to a lack of budget and executive alignment, with 63 percent of global respondents saying that their company’s board still doesn’t fully understand identity security and the role it plays in enabling better business operations.
In New Zealand and Australia, 81 percent say their board doesn’t fully understand identity security; in Singapore and Malaysia, the proportion is 70 percent.
“While the importance of identity security is acknowledged by business leaders, most security teams will not receive the backing and budget they need to put vital security controls and solutions in place to reduce major risks,” said Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea.
“This means that the majority of organisations will continue to fall short of protecting privileges, leaving them vulnerable to cybercriminals looking to discover privileged accounts and abuse them.”
Lack of policies puts machine identities at great risk
The research reveals that, despite good intentions, companies have a long way to go to protect privileged identities and access. Less than half of the organisations surveyed have implemented ongoing security policies and processes for privileged access management, such as password rotation or approvals, time-based or contextbased security, or privileged behaviour monitoring such as recording and auditing.
Even more worryingly, more than half (52 percent) of all respondents allow privileged users to access sensitive systems and data without requiring multi-factor authentication (MFA).
The report brings to light another dangerous oversight. Privileged identities include humans, such as domain and local administrators, as well as non-humans, such as service accounts, application accounts, code, and other types of machine identities that connect and share privileged information automatically. However, only 44 percent of organisations manage and secure machine identities, while the majority leave them exposed and vulnerable to attack.
“Cyber criminals look for the weakest link and overlooking ‘non-human’ identities – particularly when these are growing at a faster pace than human users – greatly increases the risk of privilegebased identity attacks,” Carson added.
“When attackers target machine and application identities they can easily hide, moving around the network to determine the best place to strike and cause the most damage. Organisations need to ensure machine identities are included in their security strategies and follow best practices when it comes to protecting all their IT ‘superuser’ accounts which, if compromised, could bring the entire business to a halt.”
For more information, insights and guidance, download a complimentary copy of the full report at: https:// delinea.com/resources/benchmarkingsecurity-gaps-and-privileged-access
