Survey Says Organizational Inertia Weakens Cyber Security Defenses
Inertia, by definition, indicates resistance to speed, direction or motion. It can creep in over a period of time and become an established behavior in an organization. The CyberArk Global Advanced Threat Landscape Report 2018 found specific examples of cyber security inertia which, if not addressed, could hinder an organization’s ability to detect and contain threats that break through the perimeter.
A key finding of our 2018 report is that nearly half (46 percent) of organizations rarely make substantial changes to security strategy—even after being hit by a cyber attack. This represents a failure to learn from past incidents that puts sensitive data, infrastructure and assets at risk; a consequence that respondents recognized, with the same proportion—46 percent—saying their organization can’t always prevent attackers from breaching internal networks.
Another worrying discovery is that more than a third (36 percent) of organizations store usernames and passwords for privileged user accounts in Word or Excel documents on company PCs. These privileged credentials deliver fast-track access to networks and systems across the enterprise, making them a tempting target for attackers.
Speaking of raising the odds of an attack succeeding, we were surprised to find a growing number of organizations grant users administrative rights on their endpoint devices. This year, the report found that, on average, 87 percent of users are allowed these rights, a 25 percent jump versus our 2016 study. With advanced malware attacks over the past year, such as WannaCry and NotPetya, greater prioritization around blocking credential theft is necessary to prevent attackers from gaining access to the network and initiating lateral movement.
The threat landscape is dynamic, so inertia will ultimately lead to serious consequences. Consider this finding: Half (50 percent) admit that their customers’ sensitive private data is at risk because security controls don’t exceed the legally required basics. In light of the EU’s General Data Protection Regulation (GDPR) and similar legislation in other countries around the world, the need for robust, organization-wide security and data integrity practices has never been more prominent.
Removing inertia requires businesses to build and sustain a pervasive culture of cyber security that is driven by executives and the board. This should be a top-down initiative supported by clearly defined and communicated security strategies and actively executed with participation by employees company-wide.
Read more by downloading the full report here.