Survey: 77% of Security Leaders Say Their Organization Has Suffered a Cyberattack Due to Improper Access
ConductorOne’s New Identity Security Outlook Report Reveals the Top Identity-Related Challenges and Opportunities in 2024
PORTLAND, Ore. – May 21, 2024 – ConductorOne, the leader in identity security and access governance, today released a new report, the 2024 Identity Security Outlook Report. Based on a survey of 523 U.S.-based IT security leaders at companies with 250 to 10,000 employees, the study explores the top challenges and opportunities of identity security, access management, and zero standing privileges. The study found that security leaders are facing increased technological and organizational complexity, which is creating a new wave of identity risks for their organizations.
According to the survey findings, most organizations have experienced firsthand just how risky identity issues have become. The majority (77%) of respondents said their organization has suffered from instances of cyberattacks or data breaches in the past 12 months due to improper access or overprivileged users. Furthermore, 41% of respondents said there had been multiple instances of cyberattacks or data breaches due to the same improper access issues.
“We’re now squarely in a new world order in which identity and access must be viewed and managed as a high-priority security risk, not just an IT issue,” said Alex Bovee, co-founder and CEO of ConductorOne. “As our survey shows, the complexity of modern technology environments has made identity an overwhelming challenge for security teams — and a prime target for attack. Fortunately, many organizations are leaning into automation and zero standing privileges to reduce complexity, minimize risk, and bring identity chaos to order.”
Complex Environments Lead to Identity Risks
The interconnectedness of modern technology environments has opened the door to a wide range of new identity and access risks. Key survey findings related to technology complexity include:
- Hybrid IT: 76% of survey respondents indicated their company has a hybrid environment. Just 6% of respondents said their environment is completely in the cloud, and only 18% stated their environment is completely on premises.
- Extended enterprise: Nearly all surveyed security leaders (97%) reported that their company works with external entities like contractors, partners, or suppliers who have access to their various systems, applications, and/or resources.
- Non-human identities: The majority (81%) of respondents stated they are concerned about non-human identities and the risk they pose to their company.
- SaaS Sprawl: Security leaders estimated that an average of 39.5 SaaS apps are in use across their company. Smaller companies reported an average of 9.2 SaaS apps in use, whereas larger companies reported an average of 70.4 apps.
Top Identity and Access Management Challenges
When asked to describe their top identity and access management challenges, 47% of respondents cited the complexity of existing systems, followed by employees’ resistance to change (38%), limitations due to available tools (33%), and executives’ resistance to change (32%). Nearly half (47%) of survey respondents said their company’s identity security strategy and access policies hinder team productivity, with 23% citing a significant hindrance on productivity.
Budgets Increase to Meet Identity and Access Needs
The majority (84%) of survey respondents reported either a moderate or significant increase in their company’s budget allocation for identity and access-related products this year. Nearly all respondents (95%) said their budget allocations for identity and access-related products are adequate. Despite increasing budgets and respondents self-reporting that their allocations are adequate, 73% of respondents still find themselves frequently or very frequently negotiating higher security budgets due to increasing security risks and responsibilities.
Zero Standing Privileges Holds Promise to Reduce Risk
The concept of zero standing privileges (ZSP) requires that a user only be granted the minimum levels of access and privilege needed to complete a task, and only for a limited amount of time. Should an attacker gain entry to a user’s account, ZSP ensures there is far less potential for attackers to access sensitive data and systems. The study found that the vast majority (93%) of security leaders believe ZSP is effective at reducing access risks within their organization. Additionally, 91% reported that ZSP is being enforced across at least some of their company’s systems.
Top Identity and Access Management Priorities
As security leaders face greater complexity across their organizations’ systems and escalating attacks from adversaries, it’s no surprise that risk reduction was cited as respondents’ top priority for identity and access management (55%). This was followed by improving team productivity (50%) and automating processes (47%). Interestingly, improving user experience was cited as the top priority among respondents who experienced multiple instances of attacks or breaches due to improper access in the last year. This group also identified their top identity challenges to be executive and employee resistance to change, which may indicate that greater organizational friction could lead to an increased risk factor.
Methodology
The 2024 Identity Security Outlook Report findings are based on the results of an online survey conducted in February 2024 that examined the opinions of 523 U.S.-based IT professionals, director level and higher at companies of 250 to 10,000 employees, whose roles involve information security.
To learn more, download the 2024 Identity Security Outlook Report here.
About ConductorOne
ConductorOne helps organizations secure their workforce identities through modern access controls and governance. Security and IT teams use ConductorOne to unify access visibility, move to just-in-time (JIT) access, remove inappropriate access, and automate access reviews. Modern enterprises like DigitalOcean, Ramp, Instacart, Panther, and DeepWatch trust ConductorOne to achieve zero standing privileges and ensure compliance. For more, visit www.conductorone.com.
# # #
Media Contact:
Andrew Smith
Public Relations for ConductorOne
