Identity Attack Surface in Asia Pacific and Japan: CyberArk Survey Reveals Impact of AI Tool Use, Employee Churn, and Economic Pressures

A new global report released today by CyberArk shows how the tension between difficult economic conditions and the pace of technology innovation, including the evolution of Artificial Intelligence (AI), is influencing the growth of identity-led cybersecurity exposure. The CyberArk 2023 Identity Security Threat Landscape Report details how these issues have the potential to result in a compounding of ‘cyber debt’: where investment in digital and cloud initiatives outpaces cybersecurity spend, creating a rapidly expanding and unsecured identity-centric attack surface.
 
Economic Squeeze Together with the Pace of Digital Acceleration Puts Organisations At Risk
In 2022, cybersecurity teams in Asia Pacific and Japan (APJ) experienced growing cyber debt, where security spend over the pandemic period lagged behind investment in broader digital business initiatives. In 2023, levels of cyber debt are at risk of compounding, driven by an economic squeeze, elevated levels of staff turnover, a downturn in consumer spend and an uncertain global environment. With investment in digital and cloud initiatives still ongoing as business leaders seek to unlock greater efficiencies and innovation, these factors have had a knock-on effect on cybersecurity.

• Regionally, 99.9% of APJ organisations expect identity-related compromise this year, stemming from economic-driven cutbacks, geopolitical factors, cloud adoption and hybrid working. 63% say this will happen as part of a digital transformation initiative such as cloud adoption or legacy app migration. 
• Fueling a new wave of insider threat concerns from – for example – disgruntled ex-staffers or exploitable leftover credentials, 69% of APJ organisations expect employee churn-driven cyber issues in 2023. 73% of cybersecurity experts across the region agree that they are concerned about loss of confidential information stemming from employees, ex-employees, and third-party identities.
• APJ organisations will deploy 70% more SaaS tools in the next 12 months versus what they have now. Large proportions of human and machine identities have access to sensitive data via SaaS tools and if not secured properly can be a gateway for attack.

 The 2023 Attack Surface
Report findings reveal upcoming areas of identity and cybersecurity concern this year. 

• Against a backdrop of the growing popularity and fast adoption of generative AI, 98% of APJ cybersecurity experts indicated that their organisations have deployed AI tools to augment and enhance Identity Security functionality. The three key areas include:
  • Automation and flexibility
  • Addressing cyber skill shortage/lack of resources
  • Breach detection and prevention
• 94% of cybersecurity experts across the APJ region expect a negative impact from AI tools and services in 2023, with the biggest concern being chatbot security vulnerabilities that include potential employee impersonation, ransomware, malware and phishing.
• 88% of the organisations surveyed experienced ransomware attacks in the past year. 69% of cybersecurity experts from APJ indicated that in the last 12 months, they paid ransom to allow recovery at least once.
• 61% of local companies expect that they would not be able to stop -or even detect – an attack stemming from software supply chain.

 Expanded Identity-Centric Attack Surface
Identities – both human and machine – are at the heart of all, or nearly all, attacks. Nearly half of the identities require sensitive access to perform their roles and are a favoured attack vector as a result. The report found that critical areas of the IT environment are inadequately protected.

• 62% say highest-sensitivity employee access is not adequately secured and greater numbers of machines have sensitive access than humans (39% vs. 45%).
• In APJ, credential access remains the #1 risk for respondents (cited by 36%), followed by defence evasion (35%), impact (30%), initial access (29%) and execution (28%).
• Business critical applications e.g. revenue-generating customer-facing applications, enterprise resource planning (ERP) and financial management software – are named as areas of greatest risk due to the unknown and unmanaged identities that access them. Only 47% have identity security controls in place to secure business-critical apps.
• Third parties – partners, consultants and services providers – are cited as #1 riskiest human identity type.

“The organisational desire to drive ever-greater business efficiencies and innovation remains undiminished, even as cutbacks in staffing and macro-economic forces are creating significant pressures,” said Matt Cohen, chief executive officer, CyberArk. “Business transformation, driven by digital and cloud initiatives, continues to result in a surge in new enterprise identities. While attackers are constantly innovating, compromising identities remains the most effective way to circumvent cyber defences and access sensitive data and assets. Such profound risk puts the issue of “who and what to trust” at the forefront of efforts to prevent cyber debt from compounding, and to build long-term cyber resilience.”

Vincent Goh, President and General Manager, Asia Pacific and Japan, CyberArk said, “The findings from the regional survey highlight the pressing challenges organisations face in today’s complex cybersecurity landscape. Economic conditions, the rapid evolution of AI and its adoption are converging to create a significant cyber jeopardy, particularly in the realm of identity-based attacks. As the region welcomes the use of more AI technology and innovations, the implementation of Identity Security, Just-In-Time access, and adopting least privilege principles for business-critical applications is paramount. Organisations must implement proactive security measures to continue improving their security posture, ultimately preventing unauthorised access and potential breaches.”