The explosion of digital identities and the growth in cyber debt

Digital innovation and cyber crime have both escalated worldwide over the past two years. You could certainly say they are mutually inclusive, as the need for businesses to innovate and transform quickly to maintain their competitive edge and growth trajectory has opened up new gaps for cyber security threats to make way into their systems.

Not only has the pressure to stay relevant created the perfect environment for cyber attacks to strike, but every major organisational IT initiative has resulted in the growth in digital interactions between people, applications, and processes. Be it human or machine, each of these connections creates a digital identity, resulting in each organisation having as many as hundreds of thousands of identities, and these figures are set to grow.

The existence of more digital identities wouldn’t be a cause for concern, but the issue is that organisations haven’t always adequately secured these identities.

That makes determining identity security with privilege in mind the new battleground and it needs to be managed centrally to get visibility and manage cyber risk across all parts of the business, to avoid the creation of another business cost: the build-up of cyber security debt.

CyberArk’s recently released 2022 Identity Security Threat Landscape Report found that many organisations are heading deeper into cyber security debt by prioritising digital initiatives while putting off identity-focused security protections. In fact, over the past year, 70 per cent of organisations have experienced ransomware attacks, with an average of two per company, while 71 per cent suffered a software supply chain attack that resulted in data loss or a compromise of assets.

Even though businesses have had to be reactive in the last few years, now that we’re in this “new or next normal” phase, they must take stock of and respond to growing levels of identity-related cyber security debt. The rise in crime and the new cyber security and data privacy laws are already enabling a shift in focus back to addressing these vulnerabilities, encouraging businesses to be proactive about improving their security measures to mitigate cyber security debt and protect their data more closely. But there’s more work to be done.

Cyber security debt from digital identities

Cyber security debt simply means security programs and tools don’t keep pace with digital initiatives, exposing the business to increased security risks.

VIEW ALL

It is critical that the new human and machine identities being created are being managed and secured correctly. This is because most of these identities, according to our research, access sensitive data and assets to perform their roles.

Humans aren’t the only target for attackers seeking to compromise credentials as their easiest pathway to an organisation’s critical data and assets, since the average staff member has more than 30 digital identities, and over half have some kind of sensitive access. However, software bots – little pieces of code that do repetitive tasks – exist in huge numbers across the average global organisation – and have become an enticing new target.

The Identity Security Threat Landscape Report showed that machine identities now outweigh human identities by 45 times on average, and their credentials are mostly not adequately protected, further driving up security concerns.

Attackers specifically go after bots because they know that their passwords are not being rotated in many cases. They also know that bots are generally over-permissioned, with more access than they need, and not monitored as human identities are for anomalies. A compromised bot allows an attacker to maintain access and stay there undetected. Even today, we still see bots that backup all servers or domain admin accounts.

In some cases, these bots are still using default passwords. A compromise here becomes a “game over” situation for the targeted organisation.

And yet, less than half of organisations currently have identity security controls in place for their business-critical applications, or their cloud services, while the vast majority have secrets and credentials scattered throughout their DevOps environment. Unsecured, unmanaged credentials are exactly what attackers target. So, while security teams struggle to keep up with the speed of digital acceleration in the business, vulnerabilities grow in tandem with the rise of digital identities.

Managing the risks

There’s no magic spell to counteract cyber security debt caused by digital acceleration. However, simple steps can help improve the management of security. For example, organisations can consider centralising its password management, for both humans and machines, and pair this with a “zero trust” approach.

Zero trust demands that any person or machine trying to connect to an organisation’s system must first be verified before access is granted. This means extending a “never trust; always verify” thinking and protections across the IT environment, from business applications and distributed workforces to hybrid cloud workloads and throughout the DevOps lifecycle.

Reducing cyber security debt takes time, but it has now become a necessity that, if not dealt with, would otherwise continue to leave a door wide open for cyber criminals to simply walk through and expose the business to further risks.

Thomas Fikentscher is the regional director ANZ at CyberArk.