Old habits die hard, especially when it comes to IT security strategy, a recent CyberArk Advanced Threat Landscape 2018 report finds.
Of the 1,300 IT security decision-makers, DevOps and app developers surveyed across the globe, 46% say their organizations failed to change their cybersecurity strategy after an attack.
Although security professionals are aware of what steps they should be taking to make their organizations more secure following a breach, roadblocks exist to prevent change, Nick Bowman, a CyberArk corporate communications senior manager, told Security Now.
"Roadblocks to change will vary per company, but can include factors like breaches not being deemed serious enough to provoke change," Bowman said.
Other potential hurdles include a misunderstanding at the board of directors' level, in which compliance with audit demands are considered the beginning and end of cybersecurity, he notes. And in other cases, business processes or functions prevent security strategy changes, Bowman adds.
"For instance, it might be considered more important to launch that new web service to drive revenue today versus ensuring it is not an open door to an attacker," Bowman explains.
Indeed. The survey found the percentage of users who have local administrative privileges on their endpoint devices soared to 87% this year from 62% in 2016. That jump was attributed, in part, to employee demands for flexibility outweighing best security practices, the report states.
Big mistakes post attack
One of the biggest and most frequent mistakes organizations make following a cyberattack is to do "nothing," Bowman laments, pointing to a sense of security inertia that survey respondents cited in the report.
- 46% say their organizations cannot prevent attackers from breaking into internal networks each time it is attempted.
- 50% admitted their customers' personally identifiable information (PII) could be at risk because it is not secured beyond legally required basics.
- 49% of organizations have no privileged account security strategy for the cloud
- 68% defer cloud security to their vendor's built-in security capabilities
And while 89% of survey respondents are aware security should begin with securing privileged accounts, credentials and corporate secrets, this practice is not widespread, Bowman notes.
"Seventy-three percent of respondents don't have a DevOps privileged account security strategy, for instance," Bowman says. "DevOps represents, potentially, a massively expanded attack surface as it creates -- automatically -- more and more privileged account credentials and secrets. If these are not managed and secured, they are obvious and tempting targets for attackers."
Signs of change emerge
Despite the somewhat bleak results in the survey, some organizations are changing their security strategies.
For example, 8% of organizations regularly perform Red Team exercises to discover critical vulnerabilities and identify ways to effectively deal with them, the report finds. And 44% of respondents say they reward and recognize employees who help prevent a security breach.
But one of the key considerations companies need to embrace is to change their mindset and think like an attacker to the point that the organization understands what the cybercriminal wants and the methods they will employ to get there, Bowman says.
"We try and get organizations to assume that their perimeter defenses either have already been breached or will inevitably get breached and put in place a security strategy that has this as a central tenet," he explained. "Attackers will get in. When they get in, they seek to move laterally using compromised accounts, credentials or secrets. What is it that is valuable in your organization? If you are a bank, it might be customer information. If you are a hospital, it could be avoiding system downtime that could disrupt surgical procedures. Once the pathway to the valuable thing or things is robustly secured and managed, Red Teams should be tasked to regularly try and compromise it, because vulnerabilities emerge and attack vectors evolve over time."
— Dawn Kawamoto is an award-winning technology and business journalist, whose work has appeared in CNET's News.com, Dark Reading, TheStreet.com, AOL's DailyFinance, and The Motley Fool.