SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers

Video: 10 Minute IT Jams - An update from CyberArk

Tue, 3rd May 2022
FYI, this story is more than a year old

Cyber security is no longer confined to the shadows.

With cyber attacks now commonplace, even intruding on critical industries like healthcare and utilities, the digital world has become a battleground over identities – both human and machine.

These are the findings of the recent Threat Landscape 2022 report from identity security specialist CyberArk. In a wide-ranging interview, Thomas Fickenship, CyberArk's Regional Director for Australia and New Zealand, outlined the new realities facing organisations, and the mounting risks if identity security is neglected.

As Fickenship explained, CyberArk has roots going back to the late 1990s, entering the market with a singular mission: to secure the most privileged users within organisations, typically IT system administrators. "We've done that for over 20 years and we became the leader in that particular space," he said. Since those days, the company has broadened its approach. "We extended that philosophy across all users who carry identities because we believe a lot of them are actually privileged...so what we do in short, we pretty much defend against attacks. We make the life of red actors extremely hard and we secure all forms of identities."

Asked about the key Australian findings from the company's global survey of 750 IT security decision makers, Fickenship was clear: cyber security took a back seat during the pandemic.

"Over the last 12 months, cyber security or security in general became a little bit of a sideshow," he said. "It's understandable because with Covid people have focused on sustaining their business operations – even just moving everyone into home offices and securing remote work was a business priority. But cyber security was a bit of a back seat. Well, that comes at a cost."

The true cost lies in the proliferation of digital identities that often remain unmanaged or unsecured. "The problem with that, if you do that, you're actually exposing a lot of your users if you don't manage those identities properly," Fickenship warned. "While you're doing digital initiatives, there's a growing amount of identities being added, because you connect devices and connect everything to the internet."

Perhaps most striking, according to the Threat Landscape report, is the rise of non-human identities. "What we also learned is that non-human identities through automation technologies – like introducing robotic process automation – have almost outweighed human identities by a factor of 45 globally. If you look at our region it's about a factor of 11. That indicates that Australia and New Zealand are a little bit behind the automation drive, but that was quite astonishing," he observed. "A lot of people look at human identities but no one thinks about – well, there's a lot of bots being introduced and they also carry identities."

CyberArk's research points to targeted attacks on particular sectors: "Some industries in particular were highly attacked, like healthcare, as an example. Utility industries were actually quite exposed to a lot of attacks, in particular ransomware," Fickenship said. Software supply chains are a growing threat, with many companies admitting they are underprepared.

The expanding "attack surface" – the total of all digital entry points into an organisation – underpins these threats. Fickenship broke it down: "As soon as you start to create more connection points...you add devices to the internet, you outsource your IT infrastructure into public cloud environments, you basically add IoT devices...for example, in distribution and warehousing you have fully automated warehousing with lots of IoT devices in it – you create a lot of connection points. Every one of these connection points carries an identity, so you've got this enormous explosion of identities, and that creates an issue if you leave them unmanaged and not secured."

The result is that healthcare organisations in Australia and New Zealand have become frequent ransomware victims. "In healthcare, more than 80% of the companies we talked to had a ransomware attack. If you go to the utility and energy sector, they have this so-called supply chain software attacks because they basically have a lot of external suppliers, partners coming in or providing particular software services, and through those external software services if they're compromised, the actual utility or energy company can get compromised as well," he said, referencing notable global incidents like the SolarWinds and US oil pipeline attacks.

This leads to the concept of "cyber security debt". Fickenship explained: "When you talk to IT professionals they always use the term technical debt, and I think cyber security debt is a similar one. So what does it mean? If you don't address a problem...you're building up that debt because it's actually incurring future costs. At some point you have to address it, and that's the cost that's building up, so you have to pay down. The longer you leave it unmanaged and unsecured, the bigger is actually the debt that you have to deal with."

As for solutions, Fickenship advised organisations to focus on three key priorities. "The first one leads to the area of software development that I mentioned before – I think we need better transparency, we need to understand all the software components that are being used in a supply chain or around an ecosystem of organisations that are working together to be able to understand where the threat comes from," he said, highlighting the importance of a "software bill of materials".

Secondly, he said, it is crucial to have strategies in place for managing sensitive access, not just for privileged users but also across departments like human resources and finance. "You've got to have strategies in place to manage that, and I think you also need to eliminate any form of embedded credentials that you have sitting in software code that is hard coded, because that can cause an enormous problem down the track," he warned.

Finally, he advocated for the adoption of a "zero trust" approach. "A lot of organisations talk about zero trust: authenticate everywhere, make sure you have least privilege – so only the amount of privilege and credentials that you need to access certain environments. I think they are probably some of those spread issues that you can apply," he said.

For Fickenship, bringing visibility, discipline and urgency to identity security is a matter of survival. "You've got to get on top of it because the threat landscape is getting bigger," he concluded.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X