A global survey conducted among 2,100 IT Security Decision Makers (ITSDMs) reveals that 60 percent of respondents believe their organizations overall security strategy does not keep pace with the threat landscape.
The survey conducted in over 20 countries revealed that most of the ITSDMs believe that their organizations are either lagging behind (20 percent), treading water (13 percent), or merely running to keep up (27 percent).
The report also highlights differences between the perceived and actual effectiveness of security strategies.
The survey was conducted by Delinea, a provider of Privileged Access Management (PAM) solutions for seamless security.
While 40 percent of respondents believe they have the right strategy in place, 84 percent of organizations reported that they have experienced an identity-related breach or an attack using stolen credentials during the previous year and a half.
Compared to other countries, respondents from the UAE and Saudi Arabia show a higher level of skepticism toward their security strategies.
Over half (53 percent) believe their overall security strategy is ‘in the doldrums’ and requires a re-invigoration of cyber security across the organization, with only 16 percent stating they are able to keep pace with the threat landscape.
A staggering 91 percent reported that they experienced an identity-related breach or an attack using stolen credentials during the previous year and a half.
Identity security is a priority, yet board buy-in is critical
Many organizations are keen to make a change, particularly when it comes to protecting identities.
In line with the global findings, 94 percent of UAE and KSA respondents (90 percent globally) state that their organizations fully recognize the importance of identity security in enabling them to achieve their business goals, and 86 percent say that it is one of the most important security priorities for the next 12 months.
However, 85 percent of UAE and Saudi respondents (75 percent globally) also believe that they’ll fall short of protecting privileged identities because they won’t get the support they need.
This is mainly due to a lack of budget and executive alignment, with 68 percent of regional respondents saying that their company’s board still doesn’t fully understand identity security and the role it plays in enabling better business operations.
“While the importance of identity security is acknowledged by business leaders, most Middle East security teams will not receive the backing and budget they need to put vital security controls and solutions in place to reduce major risks,” said Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea.
Lack of policies puts machine identities at great risk
The research reveals that, despite good intentions, companies have a long way to go to protect privileged identities and access.
Less than a third (31 percent) of the regional organizations surveyed have implemented ongoing security policies and processes for privileged access management, such as password rotation or approvals, time-based or context-based security or privileged behavior monitoring such as recording and auditing.
Exactly half of all UAE and KSA organizations surveyed allow privileged users to access sensitive systems and data without requiring multi-factor authentication (MFA).
The report brings to light another dangerous oversight. Privileged identities include humans, such as domain and local administrators, as well as non-humans, such as service accounts, application accounts, code and other types of machine identities that connect and share privileged information automatically.
However, only 52 percent of UAE and KSA organizations manage and secure machine identities.
Carson said, “Cyber criminals look for the weakest link and overlooking non-human identities — particularly when these are growing at a faster pace than human users — greatly increases the risk of privilege-based identity attacks.”
He said, “Organizations need to ensure machine identities are included in their security strategies and follow best practices when it comes to protecting all their IT ‘superuser‘ accounts which, if compromised, could bring the entire business to a halt.”