Building a Secure Digital Transformation: Addressing Identity Risk from the Beginning

Securing data has become increasingly critical in today's digital landscape, with new research from CyberArk highlighting the escalating threats and complex challenges faced by organizations. An end-to-end, secure-by-design regime is recommended as the best defense against these threats. Australia, renowned for its early adopter mentality and physical isolation, has emerged as one of the top three multicloud users globally, with 93 percent of companies planning to use at least three cloud platforms in the coming year.

A significant portion of Australian companies, around 25 percent, reported using over 100 Software as a Service (SaaS) providers, a figure expected to rise to 75 percent within the next 12 months. Despite this extensive adoption of cloud services, 55 percent of respondents expressed concerns about the complexity of managing data in the cloud compared to on-premises environments. The CyberArk whitepaper "Identity Security and Cloud Compliance" underscores these concerns, pointing out that cyberattacks often exploit vulnerabilities where data is moved or shared. As a result, Australia has become the second most breached nation globally.

The first major issue identified is the loss of visibility over data. Even with robust security systems in place and strict protocols for partner access, the extended network of partners and their respective partners can create security blind spots. Nearly nine out of ten Australian organizations have experienced identity-related breaches stemming from third parties, and eight out of ten have faced breaches related to the supply chain, where security measures might be weaker. This interconnected landscape provides attackers with multiple entry points to target sensitive information.

Thomas Fikentscher, head of CyberArk in Australia and New Zealand, highlights the growing concern over the lack of visibility as more software, systems, and technologies connect. He points out the increasing number of identities, including both human and machine identities, as a significant risk. The main issue arises from standing access, where a device or individual is granted access for a specific purpose, such as maintenance, but that access is never revoked. Adversaries are well aware of this vulnerability and often exploit it.

Fikentscher has worked with companies that discover they have tens of thousands of connected devices, many of which are old, insecure, or unknown in terms of how they communicate with other parts of the business. This growing landscape of identities and connections makes it increasingly difficult to maintain control and ensure security.

Digital transformation is another major contributor to data breaches. Fikentscher discusses the challenges faced by energy companies that traditionally managed their operational technology, data, and teams in highly segregated data siloes. The push for digitization necessitates the creation of information exchange gateways to allow seamless data flow from operational systems to corporate environments for applications like predictive maintenance. This integration increases the risk of breaches as more devices and systems become interconnected.

The sheer number of internet-facing devices further complicates the security landscape. Many of these devices are hard to manage, lack built-in security elements, and exhibit unpredictable behavior. Fikentscher shares an example of a pharmaceutical company that connects directly with doctors and specialists, highlighting the increased threat exposure as these providers open their systems to patients under e-health frameworks. This situation creates potential vulnerabilities to hundreds of doctors and thousands of patients.

New software products and digitization projects often require developers to rapidly deploy cloud and SaaS services, frequently with admin access. This scenario is a common starting point for breaches, as attackers exploit the elevated privileges during the software deployment stage. The rush to embrace AI technologies further exacerbates the problem. Companies are creating Large Language Models (LLMs) and connecting them to cloud services to access vast amounts of training data, often with sensitive or privileged access. Fikentscher warns that organizations may be naively prioritizing the rapid realization of AI benefits over security, potentially compromising their data integrity.

Given the nature, cost, and disruption of data breaches, governments worldwide are enacting legislation to mandate data security. Australia aims to be the most secure nation in the world by 2030, and this legislative push is influencing industries, according to CyberArk's research. In highly regulated sectors, such as financial services (regulated by agencies like ASIC) and health (regulated by APHRA), companies are taking data security very seriously and complying with strict regulatory requirements. Infrastructure industries like energy and health are also aligning their practices with these regulations due to mandatory risk management programs.

However, the enforcement of these regulations is not uniform across all sectors. In manufacturing and retail, compliance with data security legislation is less prevalent. Fikentscher notes that while legislation is a positive step, its effectiveness is often hindered by complacency in some executive teams and a lack of knowledge in boardrooms. This inconsistency in enforcement and awareness underscores the need for a more widespread and thorough adoption of secure-by-design principles across all industries.

In conclusion, the increasing complexity of managing data in the cloud, coupled with the rapid adoption of digital technologies and the proliferation of connected devices, has created significant security challenges. CyberArk's research highlights the urgent need for organizations to implement an end-to-end, secure-by-design approach to protect their data. As Australia continues to lead in multicloud adoption and digital transformation, it must also prioritize robust security measures to safeguard against the growing threat of cyberattacks. Legislative efforts are a critical component of this strategy, but widespread awareness and proactive measures within organizations are equally essential to achieving a secure digital future.