2023 State Of Cyber Assets Report Reveals Nearly 600% Annual Growth In Vulnerable Cloud Attack Surface
Security organizations experienced 133% year-over-year growth in cyber assets, resulting in increased security complexity and mounting pressure for cloud enterprises
MORRISVILLE, N.C., April 12, 2023/PRNewswire/ -- JupiterOne, the leading cyber asset visibility and management company, today announced the release of its second annual State of Cyber Assets Report (SCAR). The report analyzed more than 291 million assets, findings, and policies to establish the current state of enterprise cloud assets, including cloud and physical environments of devices, networks, apps, data, and users.
The latest JupiterOne research helps CEOs, CISOs, and security leaders understand the impact of the expanding attack surface on security complexity, and business, and uncovers the shocking growth in the average cybersecurity teams' responsibilities. Cyber assets increased by 133 percent year-over-year, from an average of 165,000 in 2022 to 393,419 in 2023. Organizations also saw the number of security vulnerabilities, or unresolved findings, increase by 589 percent, indicating a snowball effect as the number of assets more than doubled. The number of security vulnerabilities did not grow in direct proportion to the number of assets which may be attributed to an actual increase in unresolved vulnerabilities and the adoption of new technologies for vulnerability identification.
Mid-sized organizations, defined as 50 to 499 employees, were the further along in building security visibility with the highest number of aggregated data sources. On average, large-sized organizations had 2,011 assets per employee, small organizations 681, and mid-sized organizations 489. Mid-sized organizations had the lowest asset-to-employee ratio, and since fewer assets per employee can indicate a higher ratio of talent resources to manage the asset lifecycle, this could be due to greater sophistication in engineering practices and better habits for asset destruction, lifecycle management, or ephemeral engineering practices.
By analyzing millions of data points to summarize the state of cyber asset inventories each year, JupiterOne researchers learn where security practitioners are focused at nearly 250 organizations across sizes and sectors. Over the past 12 months, there has been an incredible – and almost certainly unprecedented – growth in the security practitioners' inventory of cyber assets, which has demanded entirely new levels of visibility, automation, and practice among resource-strapped security teams. The unprecedented growth in cyber assets and findings has multiple implications for the enterprise.
Unified Cyber Insight is Crucial
Security practitioners aren't omniscient. Visibility into cross-system relationships is only as good as the integration and correlation across data sets. The average security team correlates 8.67 security data sources for unified cyber insight. Unified cyber insights matter a lot if anyone wants to effectively defend the cloud-native attack surface. However, teams may struggle to make a case for data access to systems owned or administered by other teams.
Cyber Assets are Business Assets
Everyone knows that modern businesses cannot function, let alone succeed, without their cyber assets in both cloud and physical environments. Still, security teams have long struggled to convince business leaders how much cyber assets are worth. Understanding that the average asset is worth$17,711in 2023 may not help security teams get enough budget. However, it is a start toward quantifying the value of cyber assets.
The Modern Attack Surface is Distributed
Security practitioners are responsible for an average of 334 unique Cloud Service Provider (CSP) accounts in 2023 across all organizational sizes, or an average of 225 and 559 unique accounts at large and mid-sized organizations, respectively. Distributed cloud architecture methods create resiliency in the era of destructive ransomware attacks. But, the hyper-growth in distributed cloud architecture has introduced an unprecedented era of complexity for cybersecurity teams, who must contend with more assets, less standardization across CSPs, and the necessity of unified cyber insight.
About the 2023 Annual State of Cyber Assets Report
The 2023 State of Cyber Assets Report establishes the current state of enterprise cybersecurity assets and liabilities across complex attack surfaces of cloud and physical environments of devices, networks, apps, data, and user identities. The annual research examined asset characteristics and trends, asset superclasses, the cloud attack surface, asset relationships, and overall implications. Between September andDecember 2022, researchers used a knowledge graph data model to analyze cyber asset inventories, findings, policies, and queries derived from JupiterOne platform users. An in-depth analysis of 228 enterprises, mid-market organizations, and small businesses in financial services, technology, communications, industrials, and other sectors was conducted using an updated methodology.
The complete 2023 State of Cyber Assets Report, Executive Summary, and past research are available on the SCAR resource page. Read or download the full report here.
The SCAR team invites its readership to provide feedback on the findings and analysis within this year's report. Any organization wishing to do so or become a SCAR contributor should contact email@example.com for further information.
Join JupiterOne at RSA Conference San Francisco
JupiterOne will be onsite at the RSA Conference in San Francisco, California, April 24-27, 2023. Stop by the company's booth (Moscone South #1933) to meet the team and learn more about asset visibility and management. Additional details can be found here.
Jasmine Henry, Senior Director of Data Security and Privacy at JupiterOne and Lead Researcher of 2023 The State of Cyber Assets Report
"If the past year has taught us anything, it is the critical importance of security to the overall health of an organization and public safety. Cybersecurity is no longer just a CISO issue; the CEO, the board of directors, and investors are all paying close attention. Historians may write that the 2017 WannaCry ransomware attack was when CEOs realized the importance of security and the 2021 Colonial Pipeline event was when the average person understood that security mattered – but even though everyone is on-board with the importance of security, this report shows us how big of a mountain we still have to climb."
Sounil Yu, CISO and Head of Research at JupiterOne
"Security teams do not need more visibility. They just need access to the visibility that already exists within an organization. One of the key takeaways for organizations should be the importance of eliminating artificial barriers for security teams in getting this visibility. CEOs and other executives should ask their security teams what policies or inter-team dynamics hinder them from accessing the visibility they need. Security teams are already fighting an uphill battle. In this era of distributed and rapidly growing attack surfaces, organizations should focus on improving the processes and tools that unify our available data to gain greater cyber insights from the visibility we already have."
- Blog:Second Annual State of Cyber Assets Report Reveals Growth in Cyber Asset Value and Scale
- Resource page: 2023 The State of Cyber Assets Report
- Webinar: Uncovering the State of Cyber Assets
- Twitter: @JupiterOne
- LinkedIn: JupiterOne
- YouTube: JupiterOne
JupiterOne is a leading cybersecurity company specializing in cyber asset and attack surface management. Customers use the JupiterOne platform to connect the dots between all assets, people, and risks, providing deep context and insight into their expanding technology footprint. With unified cyber insights and one centralized view across hybrid and multi-cloud environments, security teams can make better data-driven decisions with confidence and address critical business challenges such as Cyber Asset Attack Surface Management (CAASM), Continuous Compliance, Cloud Security Posture Management (CSPM), and Vulnerability Prioritization. JupiterOne helps teams discover assets, map relationships, and triage risks to reduce their attack surface.
A growing number of Fortune 500 companies trust JupiterOne as the foundation for their enterprise security programs and realize the benefits of reduced cyber risk. JupiterOne was recognized by CNBC's Top Startups for the Enterprise and was named the 2022 CISO Choice Awards winner in the Premier Security Company, Cloud Security Solution, and Cloud Security Posture Management categories.
For Media Inquiries:
Nathaniel Hawthornefor JupiterOne
Director of Communications, JupiterOne