Security pros in APJ see machine identities as riskiest

Siloed approaches to securing human and machine identities are driving identity-based attacks across enterprises, according to a report from CyberArk.

This is based on a study conducted by Vanson Bourne amongst 2,400 cybersecurity decision makers. Respondents were based in Singapore, Brazil, Canada, Mexico, the United States, France, Germany, Italy, the Netherlands, Spain, the United Kingdom, the United Arab Emirates, Australia, India, Hong Kong, Israel, Japan and Taiwan. 

There are 700 respondents in the Asia-Pacific region and Japan (APJ). 

The report found that security professionals rate machines as the riskiest identity type. A machine identity is a unique identifier distinguishing software code, applications and virtual machines from others on a network. It is used to authenticate and authorise the machine to access resources and services.

In part due to widespread adoption of multi-cloud strategies and growing utilisation of AI-related programs like Large Language Models, machine identities are being created in vast numbers. Many of these identities require sensitive or privileged access. 

However, contrary to how human access to sensitive data is managed, machine identities often lack identity security controls, and therefore represent a widespread and potent threat vector ready to be exploited.

Among APJ firms, 95% had two or more identity-related breaches in the past year.

APJ organisations expect identities to grow an average of 2.6 times in the next 12 months.

More than three in every five (62%) of APJ organisations define a privileged user as human-only. Only 38% of organisations define all human and machine identities with sensitive access as privileged users.

The report predicts an increase in the volume and sophistication of identity-related attacks, as skilled and unskilled bad actors also increase their capabilities, including AI-powered malware and phishing.

All of APJ organisations have adopted AI-powered tools as part of their cyber defences, and 96% expect AI-powered tools to create cyber risk for their organisation in the coming year.

Only around 70% are confident that their employees can identify deepfakes of their organisational leadership.

Further, 95% of APJ organisations have been a victim of a successful identity-related breach due to a phishing or vishing attack,  and 92% were faced with successful ransomware attacks.

Vincent Goh, president and general manager of CyberArk in APJ, noted that 95% of APJ organisations experienced identity-related breaches in the past year, in part due to the inadequate security controls for machine identities compared to human ones. 

“Machine identities will continue to expand the attack surface for cyber adversaries, especially with the acceleration in AI adoption,” said Goh. “Organisations in the region need to adopt a holistic cybersecurity strategy to secure both human and machine identities to effectively defend themselves against cyber attacks.”