Based on CyberArk’s Global Advanced Threat Landscape Survey 2016, access to privileged accounts information is one of the biggest threats to cyber security.
According to the survey, 79 per cent of respondents state that their organisation has learned lessons from major cyber attacks and “has taken appropriate action to improve security”. As a result, 55 per cent have made changes to the way they manage privileged accounts.
However, 40 per cent of organisations still store privileged and administrative passwords in a Word document or spreadsheet, while 28 per cent use a shared server or USB stick. A further 20 per cent use a notebook or filing cabinet to store their sensitive information.
Meanwhile, only 7 per cent of companies have made implementing privileged account security their number one priority in securing their business from cyberattacks.
According to CyberArk, the issue with privileged account access is that it does not require the execution of a sophisticated cyberattack – without proper security it is easy for those with insider access to hack the company.
Examples of this include the 2014 hack of Sony Pictures, whereby a former systems administrator assisted a number of others in releasing personal details about the company’s employees and their families, e-mails between employees, information about executive salaries and copies of un-released films, among other sensitive information.
Another example is the 2015 OPM (US Office of Personnel Management) breach, where more than 20 million records of employees were stolen. These included Social Security numbers, fingerprints, names, dates of birth and home addresses.
Both of these attacks resulted in the companies losing trust in their employees.
However, CyberArk has also noted the role of third-party vendors in insider attacks. According to the survey, 49 per cent of organisations allow third-party vendors (such as supply chain and IT management firms) remote access to their internal networks. The survey found that in Australia and New Zealand, 84 per cent of organisations secure this access and 67 per cent monitor it.
The public sector was found to have the least third-party vendor access controls in place when compared to other industries, with 21 per cent not securing and 33 per cent not monitoring this activity.
CyberArk also noted that cyber security for industrial companies is significantly more complex than security for commercial companies, as there are so many different devices and applications involved. The company sees the industrial cyber security industry continuing to grow and change immensely as the IoT takes hold.