Anetac, a Silicon Valley startup protecting companies from identity-based vulnerabilities in hybrid environments, released its inaugural Identity Security Posture Management (ISPM) Survey Report today. Based on a comprehensive survey of 201 identity security professionals conducted by Censuswide, the report highlights critical gaps in the visibility, hygiene, and control within their machine and human account landscape.
The report reveals alarming trends in machine identity vulnerabilities, including service accounts, APIs, and tokens, as well as human accounts, that leave organizations vulnerable to potential cyberattacks. The most common, critical issues lie within the lack of visibility and oversight of service accounts.
Unmonitored service accounts pose a severe threat to organizations globally because they tend to be overprivileged, misused, and many times forgotten. This makes them prime gateways for cybercriminals to gain unauthorized access, escalate privileges, and move laterally within networks undetected.
Identity security professionals are overwhelmed trying to keep pace with the rapidly evolving threat landscape, but the speed and complexity of emerging threats often outpace organizational security efforts. Visibility is the first crucial step in understanding and tackling the identity security problem.
The longer a company operates, the more complex and entrenched its identity security problems tend to become. To mitigate risks effectively, companies must transition from static, periodic reviews to dynamic, real-time monitoring solutions that can match the complex, interconnected nature of modern hybrid environments.
Key findings from the Anetac ISPM Survey Report include:
- Visibility epidemic: 44% of IT security professionals rely on manual logging for service account visibility, while 10% admit to no visibility measures at all. Meanwhile, 47% depend on static tools, potentially missing real-time security threats.
- Hybrid account misuse: 75% of organizations report the dangerous practice of using service accounts as human accounts or vice versa, blurring the lines between automated processes and individual user actions. Hybrid account misuse happens both on-premises and in the cloud.
- Company assets at risk: A significant 76% of IT security professionals acknowledged that their service accounts have direct access to the company's crown jewels—the most critical and sensitive assets. However, 40% reported that only 0-14% of their service accounts have such high-level access.
- Prolonged password rotation cycles: An alarming 53% of security professionals take 13 weeks or more to rotate service account passwords, with 35% extending this period to 16 weeks or beyond. Even more concerning, 3% of respondents admit to rotating these critical passwords only once every 1-5 years.
Lack of visibility in identity management, hybrid account misuse, and poor cyber hygiene have always posed challenges in cybersecurity, but AI has significantly raised the stakes. Organizations can no longer rely solely on their teams without modern, up-to-date tools.
Anetac's experience with customers has revealed alarming security gaps from machine identity account misuse. In one case, an administrator used a service account with elevated privileges for personal communications; in another, it was used for food delivery orders for groups of developers. These misconfigurations create serious vulnerabilities, granting attackers unauthorized access and increasing the risk of data breaches. Every machine identity account, especially those with elevated privileges, expands the attack surface, making strict management and access controls essential for maintaining a strong security posture.
“This data confirms what we've always suspected: the most vulnerable part of any organization is its ability to monitor and secure dynamic, ever-evolving environments with real-time measures,” said Baber Amin, chief product officer at Anetac. “The extent of poor security hygiene in machine identity accounts is staggering. To stay resilient against this growing threat, organizations must prioritize investing in cutting-edge, real-time identity security solutions capable of tackling the unique challenges posed by service accounts in today’s hybrid environments.”
Organizations can take immediate steps to address these vulnerabilities, including:
- Implementing real-time, streaming visibility into discovering all machine and human identity accounts, providing a map of their access chains and surfacing password hygiene.
- Establishing and enforcing consistent, industry standard policies for password rotation.
- Ensuring that the solution enhances the efficacy of existing control planes.
The ISPM Survey Report underscores a critical need for improved machine identity account management practices across organizations. With cyber threats evolving rapidly, prioritizing visibility, regular password rotation and strict access controls for service accounts is essential to protect valuable assets.
Report Methodology
This research survey was conducted online by Censuswide, surveying 201 US based IT security professionals, influencers, and decision makers in the identity security field (18+) excluding sole traders. Censuswide abides by and employs members of the Market Research Society and follows the MRS code of conduct and ESOMAR principles. Censuswide is also a member of the British Polling Council.