This year marks the second annual Identity Management Day, a day designed to highlight the importance of managing digital identities online. With 79% of all organisations having experienced an identity related security breach in the last two years, this is an issue that must be taken seriously.
With that in mind, Cyber Protection Magazine spoke to six technology experts to get their thoughts on identity management – and their top tips to keep individuals and businesses safe.
Where does responsibility lie?
Our digital identities are broader than ever, as we offer up more and more information to a huge range of organisations. “Whether shopping online, setting up a social media account or simply reading a news article, we are regularly being asked for our identifiable information. With 10% of UK homes now owning smart devices – e.g. an Alexa or a Ring doorbell – our data is constantly being collected, even within our own homes.” explains Michael Queenan, CEO and Co-Founder of Nephos Technologies.
“What is especially concerning is who has access to this data – currently the institutions that collect it decide how it is used and sold. More worrying, should it fall into the wrong hands, it could be used for identity theft or fraud. Our personal data is anything but personal. This needs to change and with the UK no longer required to adhere to EU-GDPR legislation, it presents an opportunity to rectify how personal data can be shared. Ultimately, I believe individuals should be responsible for their own data and how it is used. A possible way of achieving this is through identity-centric blockchain, whereby everyone has a national email address associated with their blockchain identity that permits access to their personal data. This would ensure that only you get to decide who has access – your data, your choice!”
James Brodhurst, Principal Consultant, Resistant AI, agrees that businesses need to take responsibility for ensuring customer identities are secure. “Businesses and other organisations that use consumer identities as an integral part of operations must address the significant challenges of managing identities and recognise that there is no single solution to all possible cyber threats. Effective identity management is only achieved through a broad range of technologies and data. This is an important first step for organisations to know who they are interacting with, and subsequently distinguish between genuine or illicit actions.
“Businesses have a critical role to play in mitigating cyber threats, as does society as a whole. Initiatives such as Identity Management Day serve to increase our collective awareness of the issues and threats we’re facing, and also safeguard sensitive data.”
“Companies need to do a better job at protecting their customers’ data.” adds Liad Bokovsky, Senior Director of Solutions Engineering at Axway. “In a recent survey 82% of UK consumers confirmed they would stop doing business with a company if it suffered a data breach that exposed their personal information.”
Technology as a solution
So how can companies better protect the digital identities of both their customers and their staff?
“For IT leaders looking to implement identity management but unsure where to start, simple measures such as two-factor or multi-factor authentication are a good first step, before venturing further onto using tools such as privileged access management and privileged identity management.” suggests Steve Young, UKI Sales Engineering Director at Commvault. “As the volume of data worldwide is predicted to reach a staggering 181 zettabytes by 2025, organisations must think smarter about how to protect this data, and identity management is another piece in the puzzle to achieving a watertight system.”
Tyler Farrar, CISO, Exabeam, highlights other tools that can help keep digital identities secure. “Credential-driven attacks are largely exacerbated by a ‘set it and forget it’ approach to identity management, but organisations must build a security stack that is consistently monitoring for potential compromise. Organisations across industries can invest in data-driven behavioural analytics solutions to help detect malicious activity. These analytics tools can immediately flag when a legitimate user account is exhibiting anomalous behaviour indicative of credential theft, providing greater insights to SOC analysts about both the compromised and the malicious user, which results in a faster response time.”
It’s also important to ensure that digital communications are kept secure. “According to a Forrester/Diligent survey, over 50% of directors and C-suite executives regularly use personal email to communicate about their organisation’s most sensitive topics, putting their companies’ information at significant risk.” points out MarKeith Allen, Senior Vice President and GM, Mission-Driven Organisations, Diligent. “A secure communication solution allows you to maintain control over confidential communications, distribute documents and files for faster and easier collaboration, and ensure a rapid response during crises.”
However not all solutions are created equal. When choosing a solution, “actively engaging your IT team in the selection process benefits everyone in terms of protecting sensitive data— and safeguards your organisation against unnecessary liability. CIOs and CISO will have specific questions and ‘must haves’ in any communication solution their organisation takes on, so make sure they are involved from the start.”
Training is essential
However, whilst technologies are vital, they must be deployed alongside staff training to improve cyber hygiene.
“There can be no doubt that employees are the first line of defence for an organisation against a cyber attack.” explains Gregg Mearing, Chief Technology Officer at Node4. “If trained properly, they can act as a human firewall. However, poor cyber hygiene, a lack of best practice when it comes to managing credentials, and a limited understanding of the most common threats can make an organisation’s employees its greatest weakness.
“The good news is that while identity-related attacks are one of the easiest ways for cybercriminals to breach an organisation, they are also one of the easiest to prevent. Small changes can make a big difference. In an ever-changing and unpredictable cyber threat landscape, it is crucial that organisations educate their teams to identify these threats. Even a basic understanding can pay dividends for businesses in the long run.”
Andy Swift, Technical Director of Offensive Security, Six Degrees, agrees that technology must only be a part of the strategy. “When it comes to protecting yourself and your organisation, you can probably guess what I’m going to say here: implement multi-factor authentication (MFA). MFA provides great defence against identity theft, but it’s also a reactive technology: for it to be effective, an attacker must already have obtained stolen credentials. That’s why comprehensive cyber security training and education on best practices is quite possibly more important than any technology could ever be alone.”
“There’s no silver bullet when it comes to achieving strong identity management, but the importance of threat awareness and training cannot be overstated. That’s why we have Identity Management Day!”
Pingback: What famous identity thefts can teach our businesses nowadays - Cyber Protection Magazine