Identity, Security Staff Acquisition & Development, Network Security

Nearly a third of security teams lack a management platform for IT secrets

A woman is silhouetted against a projection of a password log-in dialog box.
Almost a third of security pros say their organizations don't have a management platform for API keys, passwords and credentials, according to a report by Keeper Security. (Photo by Leon Neal/Getty Images)

Keeper Security on Thursday reported that while most security pros expect cyberattacks to intensify over the next year, some 32% surveyed lack a management platform for IT secrets, such as API keys, database passwords, and privileged credentials, posing significant security risks.

The report also found that the average U.S. business experiences 42 cyberattacks annually — between three to four each month. Even with the accelerated pace of attacks, only 44% provide their employees with best practices guidance for governing passwords and access management.

While many surprisingly report feeling prepared for attacks, security leaders admit their tech stacks lack essential tools: Some 84% are concerned about the dangers of hard-coded credentials in source code, but 25% don't have software to remove them. And, more than one-quarter of respondents (26%) say they lack a remote connection management capability that can secure remote access to IT infrastructure.  

“While our research demonstrates that leaders are taking the security threat seriously, it also shows they are not keeping pace with the explosive growth in risk,” said Darren Guccione, co-founder and CEO at Keeper Security. “This research should serve as a wake-up call for all leaders to prioritize cybersecurity within their organizations by utilizing a management platform for IT secrets such as API keys, database passwords and privileged credentials, hiring and empowering a capable IT staff, creating a culture of trust, and providing training and best practices to their employees.”

Darryl MacLeod, vCISO at LARES Consulting, added that companies are always distracted by the "blinky lights" offered by the latest security technologies and tools, which can lead them to ignore basics such as password management and access control. Yet, MacLeod said companies often don't offer their employees guidance or best practices for governing these areas.

“This can be a huge mistake, as passwords and access control are two of the most important lines of defense against threats,” MacLeod said. “By neglecting to educate employees on how to effectively manage passwords and access, companies are leaving themselves vulnerable to attack. The bottom line is that companies need to make password and access management a priority, and they need to ensure that all employees are following best practices. Cybersecurity awareness programs are the most cost-effective and foundational tools in a company’s arsenal.”

Saryu Nayyar, chief executive officer at Gurucul, said at a time when cyber defenses are plentiful, it continues to amaze her that it’s taking longer to respond to cyberattacks, not faster. Nayyar said attackers are leveraging dwell time to evade detection, remaining hidden in an environment longer despite traditional SIEM, endpoint, and XDR tools for detection and response. Nayyar said this lets them probe and find higher quality data to exfiltrate.

“As threat actors get more sophisticated and organizations struggle to incorporate newer technologies, especially those suitable to protect the cloud and on-premise equally, malicious groups are able to identify more high-value targets and capture more immediate payouts,” said Nayyar. “Behavioral analytics that baselines normal functionality but is able to associate that with both user profiles and also user processes can quickly narrow down suspicious behaviors and quantify how risky those behaviors are.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.