Even though enterprises across the world face varied cyber-threats in the form of ransomware attacks, phishing attacks, and attacks on unsecured data stored in the cloud, alarming levels of security inertia hold them back from preparing for or responding effectively to cyber-attacks.
The new Global Advanced Threat Landscape Report for 2018 from security firm CyberArk has revealed the extent to which enterprises are facing varied forms of digital threats and also how such enterprises are responding to threats or preparing for similar threats in the future.
A survey of 1,300 IT security decision makers from across the world, on which the report is based, revealed how increasing levels of security inertia among enterprises are also holding them back from responding effectively to cyber-attacks, thereby making it easy for hackers to breach systems and to gain access to sensitive enterprise and customer data.
While 56 percent of all IT security decision-makers admitted that phishing attacks are currently the greatest cyber-security threats they have to face, 51 percent named insider threats, 48 percent named ransomware attacks, 42 percent named unsecured privileged accounts, and 41 percent named unsecured data stored in the cloud as the greatest cyber- security threats faced by their organisations.
Despite facing such varied threats, many enterprises are unable to respond effectively thanks to growing levels of security inertia which has led to an inability to repel or contain cyber-threats. Out of all security professionals who were surveyed, 46 percent said that their organisation couldn't prevent hackers from breaking into internal networks each time it was attempted, 36 percent said that administrative credentials were stored in Word or Excel documents on company PCs, and half of them said that their organisation didn't secure data beyond the legally-required basics, thereby endangering personally identifiable information of customers.
At the same time, enterprises are not paying much attention to the security of privileged accounts, credentials, and data stored in the cloud, relying on automated processes inherent in cloud and DevOps.
"If compromised, these can give attackers a crucial jumping-off point to achieve lateral access to sensitive data across networks, data and applications or to use cloud infrastructure for illicit cryptomining activities. Organisations increasingly recognise this security risk, but still have a relaxed approach toward cloud security," the survey found.
It also showed that while half of all organisations have no privileged account security strategy for the cloud, 68 percent of them rely on built-in security capabilities of cloud services, even though 38 percent of professionals agree that cloud providers do not deliver adequate protection.
“When target organisations haven't moved with the times, cyber-attackers often have an easy time of it and are able to penetrate traditional perimeter defences without undue effort. Companies must show greater urgency to change the game, which means treating the risk associated with cyber-security in the same way as wider business risks such as competition and the economy," said Rich Turner, vice president of EMEA at CyberArk.
“Understanding how changing service delivery models - like cloud and DevOps - affect the attack surface is a crucial component of cyber-risk. Business leaders have a critical role to play in transforming the risk mindset and building cyber-resilience across the enterprise,” he added.
Even though 86 percent of IT security professionals want cyber-security to be a board level discussion topic and 44 percent of them reward employees who help prevent an IT security breach, only eight percent of organisations conduct regular exercises to uncover critical vulnerabilities and identify effective responses.
Sachin Bhatt, head of incident response at XQ Cyber, believes that the so-called 'security inertia' that enterprises are facing today is thriving because enterprises are bombarded with many different solutions to tackle different threats, thereby causing much confusion and preventing them from forming clear plans to mitigate threats.
"Instead of trying to tackle the latest, most sophisticated threat in an ad-hoc manner, organisations need to go back to security basics and ensure everyone in the organisation is aware of their own role in spotting and avoiding attacks. This requires a mindset shift; the challenge to change people's attitudes towards cyber-security is a big one.
“By deploying risk mitigation tools that provide a more holistic view of an organisation's potential vulnerabilities, as well as any risk posed by a weak and insecure supply chain, organisations can take back control and make more considered and informed decisions about where to deploy security solutions to fix any holes in its defences" he adds.
In an email to SC Magazine UK, Greg Sim, CEO at Glasswall Solutions, said that organisations' increasing vulnerability to cyber-threats suggests that they are either unaware of emerging cyber-risks or simply don't know how to protect against them.
"The majority of businesses that reported to Cyberark that they can't always prevent an attack, are, for the most part, correct. Without considering alternative, and more innovative solutions to cyber-defence, you will always be chasing shadows. Every day email attachments such as Word documents or PowerPoint files are now used to launch 70 percent of cyber-attacks, which are increasingly sophisticated and difficult for employees to identify.
"Traditional anti-virus technology can only identify ‘known' threats, which means once a new strain of virus is created and most likely sent to a business inbox, your network is almost defenceless. This approach is flawed, innovative technologies are no longer looking for ‘known bad' threats, and instead are blocking and quarantining threats by validating the “known good”. This means that the technology is ahead of hackers, and it isn't reliant on a virus being known to the community," he added.