How lack of investments created a huge debt in cybersecurity

As companies prioritised operations in the last few months, security investments now need to increase to make up for that debt

May 9, 2022

If there is one thing you shouldn't leave without investments, we'd argue that it is cybersecurity. Sure, we are biassed. However, again and again, research has shown how losing the race against cybercriminals can cost more than most companies can afford. Indeed, the costs of having to halt operations in a basic necessity industry, the losses incurred when health services are brought down by hackers, or when government-backed criminals try to bring down an entire country just as it faces the threat of war, go way beyond monetary costs.

Even though we know all these things, a recent CyberArk report stated that 79 percent of security professionals have agreed that their organisation prioritised maintaining business operations over ensuring robust cybersecurity in the last 12 months. At the same time, cyberattacks and ransomware crimes have soared, and so have their costs and effects.

And that is not all. As companies accelerate other digital business initiatives, and the number of human and machine identities rises basically unchecked, sometimes running into the hundreds of thousands in a single organisation, they also expose themselves to greater cybersecurity risks. 

 

The identity problem

Digital identities are part of our modern lives whether we realise how often we use them or not. Computers and systems use them to cohesively create a bulk of information on an entity representing an external agent - which can be a human being, but also an application, device, or a whole organisation. 

They are the digital thing that will represent, for computation and data purposes, a physical thing. As unavoidable as the internet itself nowadays. 

However, as 68 percent of non-humans or bots have access to sensitive data and assets, according to a CyberArk report, this ocean of unmanaged and unsecured bots and digital entities are a real threat to organisations and individuals.

We hear often that we need to be concerned about the human factor, the person accessing data and how vulnerable they can be (especially to phishing and common malware). This is still true. There are still several steps that need to be taken to protect data from the human factor.

Still, the cybersecurity debt relates to the gap we now have between cybersecurity investments and now the countless number of non-human identities. To give an idea, the average staff member in an organisation has more than 30 digital identities. The machines outweigh human IDs by a factor of 45 - on average. 

With the uncontrolled increase of digital identities, most with completely unchecked and with more permissions than necessary, cybercrime is on the rise. More than 70 per cent of the organisations have been victims of ransomware attacks in the past year. Also, less than half of the companies surveyed by the CyberArk report - a worldwide research with 1,750 IT security decision-makers - said that they have Identity Security controls in place in their businesses.

We cannot scale back anymore. There is no reduction, but we do need to bring the investments up so that cybersecurity teams can face the task of assessing and managing these hundreds of thousands of digital identities. We need to be able to properly manage and secure access to sensitive data and assets, to control the identity security issues that drive up risk.

It takes collective work, with several tools and cybersecurity techniques, prioritising zero trust principles and cryptography of sensitive data, to bridge that gap, pay that debt and build a safer (and encrypted) future for all.