Address Cybersecurity Debt Before It’s Too Late!

Vincent Goh, Senior Vice President, APJ, CyberArk

The pandemic has resulted in the acceleration of digitalisation in many countries in the Asia Pacific region. Employees of organisations today are using more devices and applications, relying on collaboration tools over multiple cloud platforms to keep business operations running locally and across geographical boundaries. This has resulted in an explosion in both human and non-human identities that when not managed adequately, provide attackers with the opportunity to strike.  

The increasing pervasiveness of hybrid work arrangements has also further increased the attack surface for cybercriminals, leaving IT teams with the task of securing more digital identities that are spread across different networks. Therefore, as many organisations embark on awareness and security-building initiatives, they must consider framing the growing digital identity problem in terms of “debt” — a concept that’s as universally understood as it is dreaded.

Whether it’s splurging on a big vacation, buying a new home or launching a new interactive app for your customers, you take on debt to get something you need (or want) today by deferring “payment” until tomorrow. 

Cybersecurity debt is a type of technical debt — a term first introduced by computer programmer Ward Cunningham to explain the future cost of reworking a solution that wasn’t completely or properly designed from the start. Cybersecurity debt specifically refers to the unaddressed security vulnerabilities that accumulate in an organisation’s IT environment as new systems and technologies are added over time. 

When cybersecurity debt isn’t paid off promptly, “interest” can quickly build, making it difficult and costly to repair those shortcuts down the road. Getting bogged down in cybersecurity debt ultimately leaves fewer dedicated resources for sustaining a productive and efficient business.

The Enterprise Digital Transformation Trade-Off

According to the CyberArk 2022 Identity Security Threat Landscape Report, many organisations are heading deeper into cybersecurity debt by prioritising digital initiatives, such as accelerating cloud migration, developing new digital services and supporting work from anywhere models, while putting off identity-focused security protections. In fact, with volatility remaining a major business concern, nearly every surveyed organisation (99%) accelerated a business or IT initiative within the past 12 months in the push for continued resiliency and competitive differentiation amidst Covid-19 restrictions.

Digitalisation brings both new opportunities and cybersecurity vulnerabilities. Transformative projects are rarely achieved without making waves, especially when it comes to large-scale technology initiatives. Each initiative often creates a massive swathe of new interconnected digital identities that contain the credentials of the human or machine linked to it. Think of personal information in banking applications or the multiple login details you have to remember when accessing your organisation’s software applications. These digital identities are used to facilitate interactions and broker access, often to sensitive corporate data and assets required to perform a job or function.

A High-Interest Digital Identity Debt Dilemma

The increase in the number of connected devices brought about by digital adoption, brings along a set of challenges. Last year, a report by the Cyber Security Agency of Singapore (CSA) revealed that malware-laced devices almost tripled from 2019 to 2020. The results indicate that while businesses were migrating online, cybersecurity best practices were not carried out efficiently, accumulating ‘debt’.

It takes just one compromised identity for a threat actor or malicious insider to launch an attack and start escalating privileges to move deeper into an environment in search of valuable assets. This is likely why respondents ranked credential access as their number one area of risk. Yet 79% said their organisation hasn’t prioritised the protection of critical data and assets. Instead, they’re moving full steam ahead with initiatives respondents said could introduce significant risk. This dissonance has created substantial cybersecurity debt that continues to mount as “interest” accumulates in the form of new unmanaged identities across every major IT infrastructure component.

Avoiding the debt trap

As in one’s personal lives, a certain level of debt is sometimes necessary. If your car dies and you need one to get to and from work, you may be forced to take out a loan for a new car. Likewise, many organisations had no choice but to fast-track projects that could keep operations running amid pandemic-driven challenges, making some security trade-offs along the way.

The key now is to tackle this debt responsibly before balances become too unwieldy, or worse, organisations face “bankruptcy” for failing to evolve at the rate of technology change due to poor security decisions.

The good news is, some organisations are committed to turning things around. Notably, almost all respondents of the survey are embracing Zero Trust cybersecurity models of “trust nothing; verify everything”, with half (50%) prioritizing the implementation of Identity Security tools as one of their top three initiatives to pave the way.

And in the face of continued ransomware attacks and other emerging threats, organisations are approaching cybersecurity debt and risk reduction efforts more holistically by emphasising important technical controls such as multi-factor authentication (MFA) and least privileged access as well as implementing people-centric initiatives such as security awareness training to encourage security-conscious behaviour to become part of the organisational DNA. 

Digging out of cybersecurity debt takes time and for many organisations, there’s much work to be done. Creating a risk-based plan can help businesses identify ways to make quick, high-return “payments” and then follow a feasible timeline for reducing the remaining cybersecurity debt. With a solid identity-centric risk plan in place, organisations can effectively strengthen defences against emerging threats while advancing key initiatives to propel their businesses forward.