A new survey suggests that while security awareness is improving, security preparedness is not keeping pace. The associated report, CyberArk’s Global Advanced Threat Landscape 2016, “juxtaposes rising confidence in cyber security strategies and leadership, with poor IT security habits that persist across the enterprise in critical areas such as privileged account security, third-party vendor access and cloud.”
The survey was undertaken by Vanson Bourne for CyberArk. It questioned 750 IT and security decision makers from eight countries across North America, EMEA and APAC; and the results, suggests CyberArk, are that while business is listening to the lessons of history, it is not necessarily applying the correct response.
Seventy-nine percent of the respondents claim to have learned lessons from major publicized breaches. Twenty-five percent of these have improved malware detection, 24% have improved endpoint security, and 16% have invested in security analytics as a direct result of these lessons. Nevertheless, 40% still store privileged and/or admin passwords in a Word document or spreadsheet on a company PC/laptop, and 28% use a shared server or USB stick.
This confirms results from other recent surveys that suggest many companies fail to adequately protect their privileged accounts.
Upcoming Webcast: Identity Assurance in the Modern Enterprise – Register Now
The reality is that abuse or misuse of privileged credentials is used in the majority of major breaches. The credentials can be spear-phished directly, or located onsite during an attack if they are not adequately secured. Once acquired by the attacker he (or she) is better able to hide his presence, explore the network and steal data without being detected. “While 71% of respondents say they use a privileged account security solution,” notes the report, “it’s clear the adoption of best practices lags far behind. For example, while respondents rank privileged account takeover as the second most difficult stage of a cyber attack to mitigate, organizations aren’t making it harder for attackers.”
The reason for this apparent anomaly could be found in an awareness disparity. While seventeen percent of business/technical staff rank privileged account security as their top concern, only 10% of C-level executives feel the same. “This indicates the need for greater C-suite education and awareness about privileged account security threats, and potential for direct business impact,” says the report.
It could be down to something as little as leadership being reluctant to provide budget for a secure third-party solution when, in theory, it can be handled easily enough in-house. But it’s this in-house handling that would be behind the account credentials being stored on insecure Word documents and spreadsheets.
Insecure control over credentials also allows access via the supply chain (it was via a supplier that the hackers gained initial entry to Target). While CISOs can gain visibility into their own processes, it is less easy, and less obvious, that similar visibility and control is necessary over third parties.
“Many third parties, including vendors, contractors, consultants and service providers have authorized access to networks, allowing them to change, alter or impact the operational service of the target organization.” In fact, 49% of respondent organizations allow third party vendors access to their internal networks. And demonstrating that organizations are still not learning from past mistakes, the public sector “has the least third-party vendor access controls in place with 21% not securing activity, and 33% not monitoring that activity.” This is despite the massive OPM hack where social engineering was used by the attackers to obtain the credentials of a third-party contractor.
The findings of this year’s Global Advanced Threat Landscape Survey demonstrate that cyber security awareness doesn’t always equate to being secure,” suggests John Worrall, CMO at CyberArk. “Organizations undermine their own efforts by failing to enforce well-known security best practices around potential vulnerabilities associated with privileged accounts, third-party vendor access and data stored in the cloud.”
Upcoming Webinar – Tuesday, Sept. 27 at 1PM ET
Avoid the Breach: Identity Assurance in the Modern Enterprise