Governments at all levels are much less prepared for cyber attacks than organisations in the commercial sector.
Security software vendor CyberArk has released its ‘Global Advanced Threat Landscape Report 2018’. Its 11th annual study of cyber security and organisation’s response to it. Responses are broken down by industry sector, giving a clear view of how the public sector is reacting to cyber threats compared to other types of organisation.
The report found that only 29 percent of public sector organisations, and 31 percent of those in healthcare, respondents have implemented new cyber security measures such as privileged user accounts. Technology firms are taking the lead, with almost all (95 percent), saying that secured privileged accounts are critical to security.
Many respondents report that administrative credentials are stored in Word or Excel documents on PCs (36 percent), shared servers or USB drives (34 percent) or as printed documents in physical filing cabinets (19 percent).
Compared to last year’s survey, the number of security professionals reporting that they are planning to implement measures to manage privileged accounts is increasing, from 35 percent to 44 percent. The public sector does better here, with just over half (51 percent) of agencies planning to implement measures for managing privileged accounts.
Public sector organisations are also the least likely to reward employees who report security breaches (32 percent).
The report found that for Australian organisations as a whole, more than half (52 percent) rarely or never change their security strategy, even after a cyber-attack. Nearly as many (45 percent) say their organisation can’t prevent attackers from breaking into internal networks each time it is attempted, and 58 percent of Australia respondents admit that their customers’ privacy or personally identifiable information could be at risk because their data is not secured beyond the legally-required basics
“A change in security culture is needed,” said Matthew Brazier, CyberArk’s Regional Director for Australia and New Zealand. “There is a lot of inertia, particularly in the public sector, which could lead to an inability to repel or contain cyber threats and data being compromised.”
An overwhelming number of IT security professionals believe securing an environment starts with protecting privileged accounts – 89 percent stated that IT infrastructure and critical data are not fully protected unless privileged accounts, credentials and secrets are secured.
Respondents named the greatest cyber security threats they currently face, including:
- Targeted phishing attacks (56 percent)
- Insider threats (51 percent)
- Ransomware or malware (48 percent)
- Unsecured privileged accounts (42 percent)
- Unsecured data stored in the cloud (41 percent)
Respondents also indicated that the proportion of users who have local administrative privileges on their endpoint devices increased from 62 percent in the last survey to 87 percent in 2018. This is a 25 percent jump and is perhaps indicative of employee demands for flexibility trumping security best practices.
“The automated processes inherent in cloud and DevOps mean privileged accounts, credentials and secrets are being created at a prolific rate,” said Mr Brazier.
“If compromised, these can give attackers a crucial jumping-off point to achieve lateral access to sensitive data across networks, data and applications or to use cloud infrastructure for illicit crypto mining activities. Organisations increasingly recognise this security risk, but still have a relaxed approach toward cloud security.
“Overcoming cyber security inertia necessitates it becoming central to organisational strategy and behaviour, not something that is dictated by competing commercial needs.”
The CyberArk Advanced Threat Landscape 2018 annual report is the 11th in the series. The survey was conducted by Vanson Bourne among 1,300 IT security decision makers, DevOps and App Developer professionals and line of business owners, across seven countries worldwide.
The report is available here.
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at firstname.lastname@example.org.
Sign up to the Government News newsletter.