Hackers got hold of over one billion identities last year, as data breach incidents just kept on escalating. If ever a statistic highlighted the failure of current approaches to protect corporate systems, it is this one. In fact, two-thirds of organisations have experienced an average of five breaches over the past two years, according to Forrester. The tens of billions of pounds CIOs invest in security every year just are not getting to the heart of the problem: passwords.
Nearly two-thirds 63% of data breaches involve weak, default or stolen passwords, according to Verizon. To stand any chance of success, organisations desperately need to rethink their approach to security. And this must start with a new focus on increasing the maturity of their Identity and Access Management programmes.
Why are passwords the Achilles heel of modern IT systems?
Because they can be easily compromised via phishing attacks and, or info-stealing malware, allowing attackers to walk right through the virtual front door to the organisation. Privileged account credentials, such as those belonging to IT administrators, are particularly highly prized as they can offer unfettered access to stores of highly sensitive IP and customer data. In fact, Forrester estimates that 80% of breaches involve these log-ins.
Think IT staff manage their passwords more securely than regular users?
Think again. Frequently they are guilty of the same bad habits: simple, easy to guess or crack credentials, extensive password reuse and even log-ins written down on post-it notes. And even if your staff are strictly vetted and managed, can you say the same for your contractors – often targeted by hackers as one of the weakest links in cybersecurity? By maintaining this outdated approach to identity and access management, we are making the hackers’ job way too easy.
Today’s CIOs and CISOs are also responsible for increasingly complex and siloed IT environments – multiplying the volume of passwords and identities that need to be managed securely. As well as exposing organisations to increased risk of a breach, multiple identity siloes can create a compliance nightmare if named users cannot be associated with related activity, access controls and role-based privileges.
The growth of cloud, virtual and now Internet of Things systems will only continue to escalate these challenges. And they could have a catastrophic impact if not properly managed. The coming European General Data Protection Regulation for example, will levy fines of up to 4% of annual global turnover for serious privacy breaches. That is not to mention the impact of reputational damage on customer churn and share price. It is no surprise that the average cost of a data breach to UK firms stood at over £2.5m last year.
IT leaders therefore need to focus on improving the maturity of their Identity and Access Management programmes. Try minimising the number of privileged accounts in the organisation. This can be done quite simply and will start the process of reducing your attack surface. By limiting lateral movement inside the organisation and enforcing a least privilege approach – that is, granting users only enough privileges to do their job and no more – you can make it harder for attackers to accomplish their goals.
For example, by restricting user access to specific systems and even within those systems to specific commands, it becomes more difficult for hackers to find the handful of IT staff with the right privileges they need to access targeted data. Also, consider automated systems to provision and de-provision privileges for specific limited time periods – further restricting access to users, and therefore any attackers that might be inside your network. Monitoring and logging those privileged accounts is also a great way to spot any unusual activity and enforce best practices of Identity and Access Management.
But we need to go further.
In a world where passwords are susceptible to compromise and have grown to the point where they can no longer be managed effectively, organisations must look to Multi-Factor Authentication. This is an easy win for IT leaders looking to improve Identity and Access Management as it adds an extra layer of security at log-in – typically through biometrics or a one-time generated passcode.
Try combining this with Single Sign-On, designed to improve the user experience by consolidating access across multiple systems. Single Sign-On will also help reduce identity siloes and therefore improve visibility and compliance efforts. Ally this to a risk-based approach, which will take account of various factors such as the user’s geographic location, role, and past behaviour to only enforce Multi-Factor Authentication when the log-in attempt is assessed as high risk. This makes the whole process even more straightforward and friction-free for the user whilst maintaining maximum security for the organisation.
The results speak for themselves. Forrester claims that organisations with the highest Identity and Access Management maturity suffer half the number of breaches experienced by the least mature. This could have a very real impact on the bottom line, by saving an estimated 40% in technology costs and an average of $5m in breach costs.
It is time to stop throwing money away on security investments and get to the heart of the problem, by rethinking how you authenticate and manage your users.
- A risk-based approach takes account of geographic location, role, and past behaviour to enforce Multi-Factor Authentication when log-in attempt is assessed as high risk.
- By limiting lateral movement inside the organisation and enforcing a least privilege approach, you can make it harder for attackers to accomplish goals
- By restricting user access to specific systems and within those systems to specific commands, it becomes difficult for hackers to find IT staff with right privileges they need to access targeted data
- CIOs, CISOs are responsible for complex IT environments, multiplying volume of passwords that need to be managed securely
- Consider automated systems to provision and de-provision privileges for specific limited time periods restricting attackers inside your network
- Forrester claims organisations with highest Identity and Access Management maturity suffer half the number of breaches experienced by the least mature
- Forrester estimates that 80% of breaches involve administrator log-ins
- Nearly two-thirds 63% of data breaches involve weak, default, stolen passwords, according to Verizon
- Privileged account credentials, such as those belonging to IT administrators, are particularly highly prized as they can offer access to highly sensitive IP and customer data
- Single Sign-On will help reduce identity siloes and therefore improve visibility and compliance efforts
- Tens of billions of pounds CIOs invest in security every year are just not getting to the heart of the problem: passwords
- Try combining this with Single Sign-On, designed to improve user experience by consolidating access across multiple systems
Single sign-on and multi factor authentication are ways to get around weak user passwords according to Kamel Heus at Centrify.