Cyber attacks don’t spark cyber security strategy change: report

Cyber security inertia has gripped Australian organisations with 46 per cent of IT security professionals admitting they rarely change their security strategy, even in the wake of a cyber attack.

That’s the latest findings from the CyberArk Global Advanced Threat Landscape Report 2018, which reveals that this level of ‘cyber security inertia’ – and failure to learn from past incidents – increases a company’s vulnerability to attacks, putting sensitive data, infrastructure and assets at risk.

The survey was conducted among 1,300 IT security decision makers, devops and app developer professionals and line of business owners, across seven countries worldwide.

According to the findings, the greatest cyber security threats respondents face include: targeted phishing attacks (56 per cent); insider threats (51 per cent); ransomware or malware (48 per cent); unsecured privileged accounts (42 per cent); and unsecured data stored in the cloud (41 per cent).

Overall, findings reveal organisations are failing to secure privileged accounts and credentials in the cloud, on endpoints and across IT environments.

Findings show 46 per cent of Australian professionals surveyed say their organisation can’t prevent attackers from breaking into internal networks each time it is attempted.

“Attackers have almost limitless freedom and agility, and are constantly evolving their tools and techniques. Organisations, being much larger and more structured are not able to evolve their security strategy and controls to match this pace of change,” said CyberArk A/NZ regional director Matthew Brazier.

“Privileged accounts and secrets are the assets that are targeted in almost every attack. These are the most prized assets for attackers as these allow them to bypass other security controls undetected.

“The most cyber mature organisations in Australia have a deep awareness of their privileged asset landscape and have put in place strong controls around the way these are issued, used and audited. Aligning both defensive and alerting capabilities to protect these assets is fundamental to an effective security strategy.”

The report also said 36 per cent of Australian respondents report that administrative credentials were stored in Word or Excel documents on company PCs.

Additionally, 50 per cent of Australian respondents admit that their customers’ privacy or PII (personally identifiable information) could be at risk because their data is not secured beyond the legally-required basics.

The report notes that the “hands-off” approach to securing credential and data in the cloud creates cyber risk.

“The automated processes inherent in cloud and DevOps mean privileged accounts, credentials and secrets are being created at a prolific rate,” the report said.

“If compromised, these can give attackers a crucial jumping-off point to achieve lateral access to sensitive data across networks, data and applications or to use cloud infrastructure for illicit crypto mining activities. Organisations increasingly recognise this security risk, but still have a relaxed approach toward cloud security.”

Given the inertia, the report found a change in security culture is needed – with 86 per cent of Australian respondents stating cyber security strategy should be a regular board-level discussion topic.

But just eight per cent of companies continuously perform Red Team exercises to uncover critical vulnerabilities and identify effective responses.

Compared to the US (74 per cent), only 44 per cent of Australians surveyed said their company recognises or rewards employees who help prevent an IT security breach.