The prolonged period of low-capital costs and widely available funding may be over, yet digital adoption persists as business leaders seek to unlock efficiencies and innovation everywhere. This is driving exponential but often unsecure identity growth in the enterprise and putting existing levels of cyber debt at risk of compounding as investment in digital and cloud initiatives continues to outpace cybersecurity spend. It’s on cybersecurity professionals – who must do more, faster, with less than ever – to keep this organizational cyber debt under control while defending a rapidly expanding and unsecured identity-centric attack surface.
Released today, the CyberArk 2023 Identity Security Threat Landscape Report offers a glimpse into cybersecurity professionals’ world. It’s a massive realm of complex, interconnected environments under constant attack from shapeshifting threats – shadowed by global upheaval, economic uncertainty and rapid technological change, including the evolution of artificial intelligence (AI). Here, boundaries offer scarce protection. Instead, identities – human (employees, third-party users, customers) and machine (applications, infrastructure, bots and workloads) – are the first and last line of defense.
The total number of identities in a typical enterprise is expected to grow by 2.4x in 2023 alone. It’s a demanding job to manage them all while making sure users can securely access resources at the right time, from anywhere, on any device. Out of 2,300 global security decision-makers surveyed, virtually all (99%) say they’ll face an identity-related compromise in the year ahead, stemming from economic-driven cutbacks, geopolitical factors, cloud adoption and hybrid working. Meanwhile, 63% say the highest-sensitivity access for employees, such as IT admins, is not adequately secured today.
Many of these security teams are already understaffed and under-resourced, and nearly one-third of respondents say cybersecurity skills gaps hinder security efforts. As corporate belt-tightening continues, respondents cite growing challenges across six distinct areas of identity security risk:
1. People. Humans are always a security wildcard, and many incidents stem back to user error or intentional misuse. Seventy-four percent of respondents are concerned about confidential information loss stemming from employees, ex-employees and third-party vendors. They point to third parties (partners, consultants and service providers) as the riskiest human identities.
2. Workforce upheaval. Sixty-eight percent of respondents say layoffs and higher levels of employee churn will create new security issues. For example, 58% report instances of exiting users saving sensitive or confidential work documents outside of policy. Every time an employee leaves, the IT team must remove access permissions from the various applications they used. Malicious actors (sometimes former disgruntled employees) count on things slipping through the cracks during manual offboarding processes. One wrongly provisioned, overprivileged or orphaned account is all they need.
3. Machine identities. Due to increasing IT complexity, 62% of security teams operate with limited visibility across their environment. This makes it difficult to understand not only who is accessing sensitive data and assets but also what they are accessing. Last year, we learned machine identities outnumber human ones 45:1. There’s a pressing need to secure them all and secure them fast, yet doing so without impacting users is a tricky balancing act. Forty-two percent of respondents agree that managing and securing both human and machine identity types is equally difficult. This may be why 65% either took steps to protect machine identities last year or plan to do so in the next 12 months.
4. Business systems. When considering which exposed assets could cause the most damage and where they “live,” 42% of respondents say business-critical applications top their list of at-risk systems. Yet more than half of all respondents admit that identities are unmanaged and unprotected in revenue-generating customer-facing applications, enterprise resource planning (ERP), customer relationship management (CRM) and financial management software. This isn’t even the worst-protected environment: only 25% of respondents say sensitive access to bots and robotic process automation (RPA) is secured. Since approaching half of all identities have sensitive access to high-value data or services, often through SaaS applications and automated processes, these findings are particularly concerning.
5. Software development. With a need for speed and flexibility, software developers are often given more access than required – especially in lean times when rapid innovation is key to survival. Perhaps security teams don’t have the bandwidth to handle continuous access requests or developers are applying extra pressure. Regardless, 77% of respondents say developers have too many privileges – making these human identities highly attractive targets. Thirty-eight percent say development is the area where unknown, unmanaged identities create the most risk. Further, 69% say robotic process automation (RPA) and bot deployments are being slowed due to security concerns.
6. Identity security toolsets. Security professionals’ jobs are further complicated by a patchwork of heterogeneous tools from various vendors, creating identity security gaps in some areas and inefficient overlaps in others. Sixty-seven percent of respondents say they currently use tools from up to 40 different identity security vendors. Given the nature of cybersecurity, more enterprises are consolidating their partnerships, and their trust, to a smaller number of long-term vendor partners that can deliver more comprehensive, interoperable solutions that address more of their challenges.
Our latest research also explores the 2023 attack landscape, including industry-specific trends and growing AI angst, and demonstrates the longtail effect of today’s cybersecurity decisions on future success. It shows how forward-looking organizations are prioritizing and tackling key areas of identity risk to amplify security impact.
Download the full report to learn how placing identity at the heart of a Zero Trust cybersecurity approach can help your organization weather the current storm, avoid compounding levels of cyber debt and face the future with confidence.
Clarence Hinton is chief strategy officer, head of corporate development at CyberArk.