CyberArk Survey Surfaces Identity Security Challenges

A global survey of 2,300 security decision-makers published today by CyberArk, a provider of a privileged access management (PAM) platform, finds that while there is a much greater appreciation for the need to secure identities, most organizations are encountering major challenges securing them.

Macroeconomic changes resulting in layoffs coupled with digital transformation initiatives and a general lack of visibility are the root causes of challenges that span everything from securing software-as-a-service (SaaS) applications and locking down software supply chains to potential artificial intelligence (AI) threats, the CyberArk survey found.

More than two-thirds (68%) of respondents, for example, expected layoffs and workforce churn to create new security issues. Nearly three-quarters (74%) are concerned about losing confidential information because of insider threats. More than two-thirds (68%) added layoffs and higher levels of employee churn will create new security issues, with 58% noting there are instances of exiting users saving sensitive or confidential work documents outside of policy.

Proliferation of SaaS applications, meanwhile, further complicates cybersecurity. Survey respondents said that their organizations use 75 SaaS applications, on average, today. In the next 12 months, respondents expected this number to increase by 68%. A total of 42% said business-critical applications top their list of at-risk systems, with 89% reporting their organization was targeted by at least one ransomware attack in the last 12 months.

At the same time, there are 45 machine identities for every human identity. Respondents said that nearly half (45%) of these machine identities have access to sensitive data. Nearly two-thirds (65%) either took steps to protect machine identities last year or planned to do so in the next 12 months. A total of 42% noted that managing and securing both human and machine identity types is equally difficult.

A full 93% also expected AI to have a negative cybersecurity impact in 2023, with 62% reporting employees are using unapproved AI-enabled tools that can increase security risk. Conversely, almost all respondents (98%) also noted their organization is using AI in some capacity to improve security.

Andy Thompson, offensive cybersecurity research evangelist for CyberArk, said these issues—combined with existing cybersecurity technical debt that has built up over the years—all conspired to make securing identities exceedingly difficult. This is especially concerning, as identities are often the targets of widespread phishing attacks.

Overall, 63% admitted that the highest-sensitivity access for employees in their organization is not adequately secured today. In addition, 75% noted they faced significant levels of risk from applications that only support password-based authentication. In the wake of several password manager breaches, a full 85% are growing increasingly concerned about the risk of security incidents involving standalone password managers, with 87% planning to explore enterprise-focused alternatives in the next 12 months.

The challenges cybersecurity teams face are further exacerbated by skills shortages and the tools made available (or lack thereof). One-third (33%) of respondents noted that cybersecurity skills gaps hindered security defenses, with 62% reporting security teams operated with limited visibility across their environment. More than two-thirds (67%) are using tools from up to 40 different identity security vendors, with 42% intending to consolidate cybersecurity efforts in 2023.

Well over half (59%) also conceded they would not be able to protect against an attack stemming from a successful compromise of a software supply chain provider. More than half (56%) also admitted their organizations have not taken further steps to secure their software supply chain in the last year, as they are still in the designing or refining stage of adopting DevSecOps best practices. More than three-quarters (77%) said developers have too many privileges, with 38% reporting application development is where unknown, unmanaged identities create the most risk.

Less than half of respondents (47%) are evaluating business risk when evaluating assets, the survey also found. On the plus side, identity management (79%) and endpoint security/device trust (78%) are “critical” or “important” to supporting zero-trust IT initiatives, the survey found. Zero-trust efforts include:

• Least-privilege access on infrastructure that runs business-critical applications (31% did so in 2022, 32% plan to in 2023)

• Just-in-time access for operations that don’t require credentials with 24/7 access permissions (32% in 2022 and 32% in 2023)

• Local admin removal on endpoints to prevent privilege escalation (32% in 2022 and 28% in 2023) and block ransomware and other threats

• Standing access removal across third-party vendors (29% in 2022 and 28% in 2023) and in public cloud environments (29% in 2022 and 28% in 2023).

The CyberArk survey makes it clear the transition to zero-trust IT is still in its early stages, and there is much work yet to done. However, despite all the challenges, there is significant progress being made.