Companies say that managing, verifying and protecting digital identities across their environments is a top security challenge, as threat actors continue to rely on identity-centric tactics in attacks, according the Cisco’s 2024 Cybersecurity Readiness Index.
In Cisco’s second annual study of over 8,000 business and cybersecurity leaders across 30 global markets, released Wednesday, 36 percent of respondents ranked identity protection as a major challenge, up from 24 percent in 2023. Other top challenges cited by security leaders include network resilience (34 percent), cloud reinforcement (17 percent) and machine trustworthiness (13 percent).
While previously, security teams have focused on creating a strong perimeter to keep attackers out, threat actors today are increasingly finding success in using a variety of identity-centric techniques, as seen in the compromises of Okta, Microsoft and other tech giants in 2022 by the Lapsus$ group. Other attackers are still using various methods, from credential stuffing to sophisticated phishing tactics bent on stealing both credentials and MFA prompts.
On the defense side, organizations are contending with an increasingly complex landscape, including employees working across distributed environments and, in some cases, leveraging unmanaged devices. All of this is changing the mindset about how identities should be verified: It's important for companies not just to monitor who is trying to access network resources, but also to understand the context of each individual access request.
“The first line of defense against potential security threats, Identity Verification, involves more checkpoints, such as understanding a user's identity across different contexts, analyzing their behavior, and providing accurate recommendations for access control and security policies,” according to Cisco’s Cybersecurity Readiness Index. “More than that, companies should be able to identify patterns, detect anomalies, and predict a user’s future actions based on the analysis of their behavior and have the capability to provide real-time assessment of risks associated with it.”
Cisco's study pointed to gaps in organizations’ maturity as it relates to their implementations of identity intelligence measures. In ranking identity intelligence maturity across four different categories - beginner, formative, progressive and mature - at least 82 percent of respondents were either in the formative or beginner categories. Meanwhile, 13 percent of companies ranked as progressive, while only 5 percent qualified as mature.
Almost all (99 percent) of respondents had implemented some sort of identity management solution, and out of the companies that had not yet deployed one of the identity solutions listed in the study, 51 percent said they plan to do so in the next one to two years. The types of identity solutions vary, the study found. About half of the respondents had implemented identity behavior analytics tools (54 percent) and risk-based access analytics (50 percent). Up to 48 percent of respondents said they had deployed tools for cross-context identity analytics and recommendations, and 46 percent said they had implemented real-time risk-based analytics tools. Meanwhile, around one-third of respondents said they had deployed cross-context identity posture assessment tools and passwordless authentication measures. Cisco's study also noted that the emergence of AI is helping to bolster these types of tools across the board.
“The rising deployment of AI technologies is both enabling new potential threat vectors and helping deploy identity management systems,” according to Cisco's study. “The good news is that companies are already starting to leverage these capabilities. On average nine out of 10 companies said they are at least partially using AI in their various solutions to verify and secure identity.”
Overall, the survey painted a picture of organizations moving to rethink how they can improve their cybersecurity strategies as the threat landscape continues to rapidly evolve. In the past year, 54 percent of respondents said their organizations have experienced a “cybersecurity incident,” and three-quarters believe that they will likely be disrupted by one in the next 12 to 24 months. Despite these concerns, the majority of respondents (60 percent) qualified for the formative phase of maturity across all segments beyond just identity, including machine trustworthiness, network resilience, cloud reinforcement and AI fortification. Only 3 percent qualified as mature, down significantly from a year ago when 15 percent of companies were ranked mature.
The good news is that organizations are taking steps to better secure their environments. Over half (52 percent) of respondents said that they plan to “significantly upgrade” their IT infrastructure in the next 12 to 24 months. That figure is up from 2023, when only 33 percent of respondents said that they planned to do so. Companies said that these efforts include upgrades of existing solutions, deploying new solutions and investing in AI-driven technology.
“To fund these initiatives, more than nine out of 10 (91%) companies substantially increased their cybersecurity budgets in the past 12-24 months,” according to Cisco's study. “More than six out of 10 (61%) increased their budgets by at least 20%, with three out of 10 (30%) increasing by 30% or more. The main factors driving these large increases in cybersecurity budgets include increased risk due to digitization, growth in types of attacks and threats, financial impact of cyber incidents, and increasing sophistication of attacks.”