Share this article on:
The majority of senior IT security stakeholders are failing to keep pace with the shifting threat landscape, according to new research.
New findings from privileged access management (PAM) solutions provider Delinea — drawn from a survey of 2,100 IT security decision-makers (ITSDMs) across 20 countries — has revealed 60 per cent of respondents conceded their overall strategy does not keep pace with the threat landscape.
Respondents said they're either "lagging behind" (20 per cent), "treading water" (13 per cent), or "merely running to keep up" (27 per cent).
The research also identified contrasting attitudes between the perceived and actual effectiveness of security strategies.
Of the surveyed respondents, 40 per cent said they have the right strategy in place, however, 84 per cent of organisations reported that they have experienced an identity-related breach or an attack using stolen credentials over the past year and a half.
To remedy these incursions, many organisations have committed to revising their strategy, particularly to bolster identity protection.
Delinea reported 90 per cent of respondents recognise the importance of identity security, with 87 per cent stating it is one of the most important security priorities for the next 12 months.
Conversely, three quarters (75 per cent) of IT and security professionals said they'll fall short of protecting privileged identities because they won't get the support they need.
According to Delinea, this trend is the result of budget and executive alignment, with 63 per cent of respondents stating their company's board still doesn't fully understand identity security.
"While the importance of identity security is acknowledged by business leaders, most security teams will not receive the backing and budget they need to put vital security controls and solutions in place to reduce major risks," Joseph Carson, chief security scientist and advisory CISO at Delinea, said.
"This means that the majority of organisations will continue to fall short of protecting privileges, leaving them vulnerable to cyber criminals looking to discover privileged accounts and abuse them."
Meanwhile, the research found less than half of the organisations surveyed implemented ongoing security policies and processes for privileged access management, including password rotation or approvals, time-based or context-based security, or privileged behaviour monitoring.
Further, 52 per cent of respondents revealed they allow privileged users to access sensitive systems and data without requiring multi-factor authentication (MFA).
Just 44 per cent of organisations said they manage and secure machine identities.
"Cyber criminals look for the weakest link and overlooking 'non-human' identities — particularly when these are growing at a faster pace than human users — greatly increases the risk of privilege-based identity attacks,” Carson added.
"When attackers target machine and application identities, they can easily hide, moving around the network to determine the best place to strike and cause the most damage.
"Organisations need to ensure machine identities are included in their security strategies and follow best practices when it comes to protecting all their IT 'superuser' accounts which, if compromised, could bring the entire business to a halt."
[Related: CyberCX introduces the ‘largest’ private sector cyber security training academy]