The last 12 months have witnessed a rapid-fire round of innovation and adoption of new technologies. Powerful new identities, environments and attack methods are shaping the quickly changing cybersecurity threat landscape, rendering it more complex and causing the diffusion of risk reduction focus. New CyberArk research indicates that the rise of machine identities and the increasing reliance on third- and fourth-party providers are deepening the existing threats and creating novel vulnerabilities.
The CyberArk 2024 Identity Security Threat Landscape Report, released today, surveyed 2,400 identity-related cybersecurity experts and decision-makers across 18 countries to provide deep insights into the evolving threat landscape. The report reveals that an overwhelming majority (93%) of organizations have experienced two or more breaches due to identity-related cyberattacks. These organizations anticipate the total number of identities to increase more than 2.4 times in the next 12 months.
Several factors contribute to this surge in identity-related attacks, including the rise in volume and sophistication of cyberattacks perpetrated by both skilled and unskilled bad actors who utilize generative AI (GenAI) to amplify their attacks. These threat actors target an already intricate and expanding digital ecosystem, exploiting unsecured identities to gain access to their victims’ environments. To that end, the report finds that nearly all (99%) organizations affected by identity-related attacks suffer negative business impacts.
Read on to get a look at some key trends outlined in the report.
The Perils of GenAI
GenAI is, of course, not new to organizations or bad actors. In fact, 99% of organizations use AI-powered tools in their cybersecurity initiatives, while bad actors also use GenAI to increase the volume and sophistication of their attacks. As a result, 93% of organizations anticipate a negative impact from AI, expecting an increase in AI-augmented malware, phishing and data breaches. In the last 12 months, nine out of 10 organizations experienced a breach due to phishing or vishing attacks. With AI-powered cyberattacks becoming more challenging to detect, the likelihood of widespread organizational breaches increases.
Deepfake videos and audio generated by GenAI are becoming increasingly difficult to discern. Yet, in the B2B world, over 70% of respondents are confident that their employees can identify deepfake content featuring their organizations’ leaders. These insights suggest complacency among respondents, likely fueled by an illusion of control, planning fallacy – or just plain human optimism. The full extent of the potential damage that GenAI-augmented attacks can inflict and the damage multiplier of compromising the data models feeding defensive GenAI remains unknown, and our vulnerability to it may be greater than we realize. These responses underscore the need to plan for more advanced future attacks and invest in protecting the data models used by machine intelligence and extending strong governance to this new AI identity.
New Era: Rise of the Machines
Nearly half of the 2,400 surveyed cybersecurity experts anticipate a threefold increase in machine identities, which are primarily under-secured and over-privileged, driving this growth. Ongoing automation efforts at scale and pervasive cloud computing further exacerbate the proliferation of vulnerable machine identities. The increase in the total number of these identities is neither new nor surprising. However, what is surprising (and concerning) is that nearly two-thirds (61%) of surveyed organizations have an exceedingly narrow definition of “privileged user,” which solely applies to human identities with access to sensitive data.
This definition contradicts our respondents’ observations, with nearly three-quarters (68%) indicating that up to 50% of all machine identities have access to sensitive data.
Still, their organization’s definition of a “privileged user” reveals a massive gap in excluding machine identities. Organizations report that they are primarily focused on securing human identities, which is a cause of concern in securing machine identities. They also report that a security incident requires significant manual effort to address or remediate.
Chain Reaction: Third and Fourth-party Risks
The report also highlights a lack of rigorous focus on vendor risk management despite the expanding web of our digital ecosystems. In the next 12 months, 84% of organizations plan to employ three or more cloud service providers (CSPs), and projections show an 89% annual increase in the number of SaaS applications, compared to 67% in 2023.
It’s crucial to understand that your network of third-party providers extends beyond CSPs and SaaS providers to include service providers, integrators, hardware and infrastructure suppliers, business partners, distributors, resellers, telecommunications and other external entities that enable digital business. Third- and fourth-party breaches can quickly cascade to your organization, creating a multiplier effect on risk.
The report finds that while 91% of respondents are concerned about third-party risks and 83% about fourth-party risks, vendor risk management remains a low priority for post-breach investments. It’s important to note that bad actors often employ a ‘buy one, get one’ approach, targeting multiple victims through double software supply chain and multi-tenant environment attacks. This means if bad actors target your third- or fourth-party providers, they could put your organization at risk. As such, regular vendor risk assessments and heightened vendor accountability are crucial. Likewise, this vendor accountability and risk assessment strategy should extend to cybersecurity vendors, too.
Cyber Debt: ‘Shiny Object’ Syndrome and a Blind Spot
Facing growing threats, organizations may prioritize adopting the latest technologies over foundational controls to address cybersecurity challenges. However, this can lead to the accumulation of cyber debt, where organizations incur significant costs and risks by neglecting existing vulnerabilities. This shift in behavior and negative results shows a need for consistency across foundational and new attack paths and tooling. According to the report, core social engineering attacks like phishing and vishing remain highly effective, resulting in breaches and substantial financial losses for nine out of 10 organizations.
Organizations must balance addressing existing vulnerabilities and adopting new technologies. Despite the complexity and challenges inherent in the future of cybersecurity, organizations can mitigate risks by staying informed and adopting a proactive approach to risk management that is consistent across all identities and environments.
Identity Security: The Key to a Robust Cybersecurity Posture
In today’s fast-paced world, where challenges abound, every defense erected becomes a new tower that bad actors seek to conquer. Our most significant advantage against these threats lies in our ability to collaborate. As Michael Jordan famously said (I’m told…), “Talent wins games, but teamwork and intelligence win championships.” Our collective defense extends beyond immediate colleagues to encompass our entire organization and third- and fourth-party providers. Securing every identity across the IT environment is paramount, necessitating a new cybersecurity model centered on identity security. The future of security starts with identity.
Download the CyberArk 2024 Identity Security Threat Landscape Report for comprehensive insights into navigating the evolving cybersecurity landscape.
Brandon Traffanstedt is a senior director in CyberArk’s Field Technology Office.