Singapore-based Vincent Goh, Senior Vice President, APJ, CyberArk, highlights the importance of raising awareness of ‘cybersecurity debt’. He tells us about solutions to solve the digital identity debt dilemma and the ‘debt trap’.
How has the pandemic increased the number of opportunities for cybercriminals to attack?
The pandemic has resulted in the acceleration of digitalization in many countries in the Asia Pacific region. Employees of organizations today are using more devices and applications, relying on collaboration tools over multiple cloud platforms to keep business operations running locally and across geographical boundaries.
This has resulted in an explosion in both human and non-human identities that when not managed adequately, provide attackers with the opportunity to strike.
Why should organizations frame the growing digital identity problem in terms of ‘debt’?
The increasing pervasiveness of hybrid work arrangements has also further increased the attack surface for cybercriminals, leaving IT teams with the task of securing more digital identities that are spread across different networks.
Therefore, as many organizations embark on awareness and security-building initiatives, they must consider framing the growing digital identity problem in terms of ‘debt’ – a concept that’s as universally understood as it is dreaded.
Whether it’s splurging on a big vacation, buying a new home or launching a new interactive app for your customers, you take on debt to get something you need (or want) today by deferring ‘payment’ until tomorrow.
What specifically is cybersecurity debt and what problems does it cause?
Cybersecurity debt is a type of technical debt – a term first introduced by computer programmer Ward Cunningham to explain the future cost of reworking a solution that wasn’t completely or properly designed from the start.
Cybersecurity debt specifically refers to the unaddressed security vulnerabilities that accumulate in an organization’s IT environment as new systems and technologies are added over time.
When cybersecurity debt isn’t paid off promptly, ‘interest’ can quickly build, making it difficult and costly to repair those shortcuts down the road. Getting bogged down in cybersecurity debt ultimately leaves fewer dedicated resources for sustaining a productive and efficient business.
Can you describe the ‘trade-off’ many enterprises experience during the process of Digital Transformation?
According to the CyberArk 2022 Identity Security Threat Landscape Report, many organizations are heading deeper into cybersecurity debt by prioritizing digital initiatives, such as accelerating cloud migration, developing new digital services and supporting work from anywhere models, while putting off identity-focused security protections.
In fact, with volatility remaining a major business concern, nearly every surveyed organization (99%) accelerated a business or IT initiative within the past 12 months in the push for continued resiliency and competitive differentiation amidst COVID-19 restrictions.
Digitalization brings both new opportunities and cybersecurity vulnerabilities. Transformative projects are rarely achieved without making waves, especially when it comes to large-scale technology initiatives.
Each initiative often creates a massive swathe of new interconnected digital identities that contain the credentials of the human or machine linked to it. Think of personal information in banking applications or the multiple login details you have to remember when accessing your organization’s software applications.
These digital identities are used to facilitate interactions and broker access, often to sensitive corporate data and assets required to perform a job or function.
What sort of challenges occur with an increase in the number of connected devices?
The increase in the number of connected devices brought about by digital adoption, brings along a set of challenges. Last year, a report by the Cybersecurity Agency of Singapore (CSA) revealed that malware-laced devices almost tripled from 2019 to 2020.
The results indicate that while businesses were migrating online, cybersecurity best practices were not carried out efficiently, accumulating ‘debt’.
It takes just one compromised identity for a threat actor or malicious insider to launch an attack and start escalating privileges to move deeper into an environment in search of valuable assets. This is likely why respondents ranked credential access as their number one area of risk.
Yet 79% said their organization hasn’t prioritized the protection of critical data and assets. Instead, they’re moving full steam ahead with initiatives respondents said could introduce significant risk.
This dissonance has created substantial cybersecurity debt that continues to mount as ‘interest’ accumulates in the form of new unmanaged identities across every major IT infrastructure component.
How can organizations avoid the ‘debt trap’?
As in one’s personal lives, a certain level of debt is sometimes necessary. If your car dies and you need one to get to and from work, you may be forced to take out a loan for a new car. Likewise, many organizations had no choice but to fast-track projects that could keep operations running amid pandemic-driven challenges, making some security trade-offs along the way.
The key now is to tackle this debt responsibly before balances become too unwieldy, or worse, organizations face ‘bankruptcy’ for failing to evolve at the rate of technology change due to poor security decisions.
The good news is, some organizations are committed to turning things around. Notably, almost all respondents of the survey are embracing Zero Trust cybersecurity models of ‘trust nothing; verify everything’, with half (50%) prioritizing the implementation of Identity Security tools as one of their top three initiatives to pave the way.
And in the face of continued ransomware attacks and other emerging threats, organizations are approaching cybersecurity debt and risk reduction efforts more holistically by emphasizing important technical controls such as multi-factor authentication (MFA) and least privileged access as well as implementing people-centric initiatives such as security awareness training to encourage security-conscious behavior to become part of the organizational DNA.
Digging out of cybersecurity debt takes time and for many organizations, there’s much work to be done. Creating a risk-based plan can help businesses identify ways to make quick, high-return ‘payments’ and then follow a feasible timeline for reducing the remaining cybersecurity debt. With a solid identity-centric risk plan in place, organizations can effectively strengthen defenses against emerging threats while advancing key initiatives to propel their businesses forward.