Results of Cyber-Ark Software’s fifth annual “Trust, Security and Passwords” survey show that 57 percent of global C-level executives agree that in the next one-to-three years, external threats such as cyber-criminals will become a greater security risk than insider threats. In addition to expanding awareness about the risks associated with cyber espionage or advanced persistent threat (APT)-type attacks, internal threats still represent a security challenge for many organisations today. Consider that nearly one in five of C-level respondents admitted that cases of insider sabotage had occurred at their workplace; and 16 percent believe that competitors may have received highly sensitive information or intellectual property including customer lists, product information and marketing plans from sources within their own organisation.
Cyber-Ark’s fifth annual “Trust, Security and Passwords” global report is the result of online surveys conducted in the Spring of 2011 with 1422 IT staff and C-level professionals across North America and EMEA. This is the first year Cyber-Ark extended the survey to the C-suite. The overall expanded sample set impacts benchmarking against previous years’ data, but provides a broader view of industry trends to track in future reports.
“Increased awareness that attack vectors can and do originate from both external and internal sources can be attributed in large part to the spectacular external-born breaches that drew headlines in the past year, including the NASDAQ and Gawker breaches. Regardless of the attack vector, the targets inside an enterprise remain the same – highly sensitive intellectual, financial and customer information,” said Adam Bosnian, executive vice president Americas and corporate development, Cyber-Ark Software. “Privileged accounts are the key tool that external attackers and insiders leverage to access and exfiltrate an organisation’s sensitive information. Security teams need to start with improving the protection of these key internal targets – not simply building bigger walls around the enterprise.”
With recent high-profile attacks that targeted privileged accounts and passwords, like the breach in EMC’s RSA Security Division, awareness and a sense of urgency will continue to increase around the need to better monitor and control those powerful accounts. Specific results from global IT staff surveyed found that one quarter (25 percent) said their use of privileged accounts is still not being monitored.
A survey response that has remained fairly constant over the years is identifying the departments most likely to snoop around the network to look at confidential information. With their broad reach and highly privileged, anonymous access to various networks, systems and applications, nearly half (48 percent) of all global respondents chose the IT department as the most likely to snoop. Respondents said that managers were the next most likely (10 percent) followed by human resources (7 percent).
The following results compare “snooping” habits of IT staff around the world:
- When asked if they had ever accessed information on a system that was not relevant to their role, 28 percent of North American IT staff respondents admitted to snooping, while an even greater number in EMEA, 44 percent, admitted to the same behaviour.
- Similarly, 20 percent of North American respondents and 31 percent of EMEA respondents said that they or one of their colleagues had used an administrative password to access information that was otherwise confidential or sensitive.
The Impact of Data Breach Laws and Regulations on Privileged Account Perceptions
A new question added to this year’s survey focused on measuring how respondents’ perception of privileged account security has changed in light of data breach notification laws. According to the results, 77 percent of North American IT staff said their perceptions have changed, while much fewer in EMEA, 24 percent, felt the same way.
“We expected some differences between North American and EMEA respondents, and thought this gap was noteworthy in that it speaks to differences between the regions in terms of how data breach notifications are enforced – either by law in places like the US, or as a regulation in the U.K. Regardless, several recent reports have cited escalating fines associated with breaches, so it will be interesting to watch how perceptions change over time,” said Bosnian.