CyberArk Singapore report: most organisations prioritised business operations over cyber security

Almost eighty percent of local organisations surveyed have experienced ransomware attacks in the past year: two each on average

• Machine identities now outweigh human identities by a factor of 27x
• Seventy percent of local security leaders admit their organisation cannot stop a supply chain-related attack

A new global report released today by CyberArk (NASDAQ: CYBR) shows that 82% of Singapore senior security professionals state that cybersecurity has taken a back seat in the last year in favour of accelerating other digital business initiatives. The CyberArk 2022 Identity Security Threat Landscape Report identifies how the rise of human and machine identities – often running into the hundreds of thousands per organisation – has driven a buildup of identity-related cybersecurity “debt”, exposing organisations to greater cybersecurity risk.

A Growing Identities Problem

Every major IT or digital initiative results in increasing interactions between people, applications and processes, creating large numbers of digital identities. If these digital identities go unmanaged and unsecured, they can represent significant cybersecurity risk:

• Seventy-four percent of non-humans or bots have access to sensitive data and assets.
• The average staff member has greater than 28 digital identities.
• Machine identities now outweigh human identities by a factor of 27x on average.
• Eighty-nine percent of local respondents store secrets in multiple places across DevOps environments, while eighty-seven percent say developers typically have more privileges than necessary for their roles.

The 2022 Attack Surface

Secular trends of digital transformation, cloud migration and attacker innovation are expanding the attack surface. The report delves into the prevalence and type of cyber threats facing security teams and areas where they see elevated risk:  

• Credential access was the number one area of risk for respondents (at 43%), followed by defence evasion (41%), persistence (33%), privilege escalation (32%) and execution (31%).
• Almost eighty percent of local organisations surveyed have experienced ransomware attacks in the past year: two each on average.
• Seventy-eight percentage of local respondents indicated that their organisation is susceptible to carefully crafted attacks such as a tailored phishing email to an individual with high levels of access.
• Sixty-nine percent have done nothing to secure their software supply chain post the SolarWinds attack and most (70%) admit a compromise of a software supplier would mean an attack on their organisation could not be stopped.

Unsecured And Unmanaged Identities Creates Cybersecurity Debt

Security professionals agree that recent organisation-wide digital initiatives have come at a price. This price is Cybersecurity Debt: security programs and tools that have grown but not kept pace with what organisations have put in place to drive operations and support growth. This debt has arisen through not properly managing and securing access to sensitive data and assets, and a lack of Identity Security controls is driving up risk and creating consequences.

The debt is compounded by the recent rise in geopolitical tensions, which have already had direct impact on critical infrastructure, highlighting the need for heightened awareness of the physical consequences of cyber attacks: 

• Eighty-two percent agree that their organisation prioritised maintaining business operations over ensuring robust cyber security in the last 12 months.
• Less than half (46%) have Identity Security controls in place for their business-critical applications.

Udi Mokady, founder, chairman and CEO, CyberArk: “The past few years have seen spending on digital transformation projects skyrocket to meet the demands of changed customer and workforce requirements.  The combination of an expanding attack surface, rising numbers of identities, and behind-the-curve investment in cybersecurity – what we call Cybersecurity Debt – is exposing organisations to even greater risk, which is already elevated by ransomware threats and vulnerabilities across the software supply chain. This threat environment requires a security-first approach to protecting identities, one capable of outpacing attacker innovation.”

Teck Wee Lim, Head of ASEAN, CyberArk: “Even as warnings of cyber threats such as ransomware and supply chain perpetuate the news, our research has shown that cybersecurity is not a top focus for many organisations. As Singapore eases its Covid-19 restrictions and resumes more economic and social activities, organisations here need to further enhance their cyber resiliency by adopting proactive cybersecurity strategies such as Identity Security controls based on Zero Trust principles to ensure that both human and machine identities are protected.”

What Can Be Done?

• Push for Transparency: 89% say that a Software Bill of Materials would reduce the risk of compromise stemming from the software supply chain.
• Introduce Strategies to Manage Sensitive Access: The top three measures that most CIOs and CISOs questioned in the survey have introduced (or plan to introduce), cited by respondents: least privilege security / Zero Trust principles on infrastructure that runs business-critical applications (64%), eliminating embedded credentials in order to secure passwords, secrets and other credentials used by applications machines and scripts (64%), and real-time monitoring and analysis to audit all privileged session activity (59%)
• Prioritise Identity Security Controls to Enforce Zero Trust Principles: The top three strategic initiatives to reinforce Zero Trust principles are: workload security; Identity Security tools; and data security.