Research by the IDSA reveals that 84% of organisations have experienced an identity-related security breach in the last two years, and 96% believe their identity-related breaches were preventable. Matt Rider, VP of Security Engineering EMEA at Exabeam, explains: “It’s for this reason that efforts such as Identity Management Day are so important. Not only does it provide the opportunity to raise awareness around the subject, but it also provides a space to educate the public on best practices.”
Today marks the 3rd annual Identity Management Day, which aims to draw attention to the dangers of casually or improperly managing and securing digital identities. Cyber Protection Magazine spoke to a range of tech security professionals about how businesses can ensure the digital identities of their employees remain secure, keeping businesses’ privacy intact.
Compromised Company Credentials – a major red flag.
Andy Bates, Practice Director – Security at Node4, starts: “Unauthorised access is obviously a red flag when it comes to cybersecurity and most organisations will have measures in place to identify and deny such access. But, what do you do when an attacker gains access using a valid username and password?”
Jasson Casey, Chief Technology Officer at Beyond Identity, explains, “company credentials can be quickly obtained through phishing attacks or dark web dumps and MFA codes and passwords stored in password managers are easily interceptable. Indeed, security incidents analysed in the Verizon Data Breach Report 2022 showed credentials were the most likely form of data to be compromised in both the US (66%) and EMEA (67%).”
Not only are these types of breaches often successful through phishing techniques, but if an employee has reused a compromised password, it often provides easy access for hackers. Node4’s Bates elaborates, “once inside the system, the attacker can get to work completely unnoticed, stealing sensitive data, deleting files, or planting malware.”
Credential theft has been responsible for some of the most prolific cyber attacks over the last years, including the infamous 2020 Twitter hack. “And yet despite this, the UK Government continues to recommend password-based frameworks as best practice for cybersecurity,” Beyond Identity’s Casey reiterates.
Passwords? I’ll pass.
It is vital for businesses to ensure that their employees understand the importance of password hygiene. Node4’s Bates tells the unfortunate reality; “A recent survey revealed that 57% of people who have already been scammed in phishing attacks still haven’t changed their passwords, and 51% of people use the same passwords for both work and personal accounts.”
Agreeably, Tom Ammirati, CRO at PlainID, elucidates that “when exposed passwords and identity credentials appear in password dumps, bad actors know that users are likely to have similar, if not identical, passwords across their accounts, whether they be for business or personal. Even if a password is different from the one exposed, bad actors and the AI technology they deploy can simply try variations until they gain access.”
Unquestionably, the education of employees on password hygiene is imperative if you want them to become your first line of defence rather than your weakest link.
Conversely, Beyond Identity’s Casey implores companies to go one step further and remove passwords altogether. He delineates: “Passwords – even those backed by ‘traditional’ MFA – are the single biggest vulnerability most organisations now have. Relying on fallible human nature, they require employees and customers to uphold security hygiene at the risk of severe organisational compromise.”
MFA – the good, the bad and the ugly.
The experts implore that businesses, at a minimum, go one step further than passwords and employ multi-factor authentication (MFA) to avoid identity-related attacks.
Node4’s Andy Bates explains that MFA provides a second layer of authentication after inputting the username and password correctly. He adds that this acts “as a safety net so even if an unauthorised individual obtains valid credentials, they still cannot gain access to your systems.”
But, with so many authentication options available with MFA, how can organisations tell the difference between the good and the bad?
Beyond Identity’s Chief Technology Officer expounds: “Good MFA is vastly different from the first-generation MFA that uses one-time passwords and push notifications. Good MFA provides phishing resistance through the use of public/private key cryptography that binds the identity to a device and the user biometrics built into modern endpoints like phones and laptops. Modern, phishing-resistant MFA does not rely on passwords or utilise other weak factors like one-time codes, or push notifications as part of the authentication process.”
Putting organisations trust into a Zero Trust Strategy
Aside from adopting password hygiene and good MFA, organisations can also employ next-level technologies built to ensure access to only trust identities. PlainID’s Ammirati elaborates “organisations are now implementing next-level technologies, processes, and policies to ensure that trusted identities have authorised access to digital assets.”
Continuing, Beyond Identity’s Casey summarises that passwordless, phishing-resistant MFA factors lay the foundation for Zero Trust architectures. Elaborating, he explains: “This modern, phishing-resistant authentication ensures a much higher level of trust in the user identity, stops credential attacks and finally closes off the single largest vulnerability that all organisations have – passwords.”
Don’t be the cause of your suffering – prevention is more effective than cure
Summarising, PlainID’s Ammirati details, “It is just as important to remember that prevention is much more effective than cure. By training staff to spot phishing attempts by bad actors, credentials are unlikely to be exposed in the first place. If we can do that, and in combination with succinct access controls, then organisations will be much more likely to prevent many of these breaches before they even occur.”
Following up and concluding Beyond Identity’s Casey, states: “Identity Management Day’s purpose is to highlight the dangers of casually or improperly managing and securing digital identities. In 2023, businesses must accept the reality we are now facing – passwords and weak 1st generation MFA are no longer viable solutions.”
Egnyte’s Director of Cybersecurity Evangelism, Neil Jones, adds: “In my experience, companies with the most effective cyber-protection programs have learned that identity management is a critical first line of defense against potential cyber-attackers. For maximum effectiveness, proper identity management should be combined with proven endpoint security and data governance solutions, since it’s imperative that organizations protect what cyber-attackers want access to the most – their data. It isn’t sufficient to protect the technical infrastructure around the data, you also need to protect the data itself.”