Many individuals’ first encounter with real cybersecurity concerns come in the form of some brush with an Identity Management (IdM) issue—whether their bank details have been stolen, someone has taken out an insurance policy in their name, or they receive an alert letting them know their account has been compromised.
As cybersecurity concerns, and solutions, take hold of public attention, Identity Management Day is a great chance to seek out new ways we can reduce the impact of threat actors, and secure our digital identities.
Presented by the Identity Defined Security Alliance and the National Cybersecurity Alliance (NCSA) on the second Tuesday in April, Identity Management Day is an opportunity to update cybersecurity awareness and best practices.
For a Quick Reminder… What is Identity Management?
Identity Management ensures that only authorized users have access to the technology resources they need to perform their work—that means hardware, software, applications, and permissions. User-specific information is a common entry point for account takeover, ransomware attacks, and other attack vectors.
Identity-related breaches are ubiquitous and in many cases, preventable!
84% of organizations have experienced an identity-related security breach in the last two years, and 78% experienced direct business impacts, according to research by the IDSA. According to the 2022 Verizon DBIR Report, as many as 82% of hacking-related breaches leverage weak, stolen, or otherwise compromised credentials. Passwords, all too often, are the origin point of a successful attack.
This goes for individuals, small businesses, and Fortune 500 companies—we are all collectively at risk, and in need of reminders for password hygiene and updated best practices. And it works: research shows that when executives speak publicly about the importance of securing passwords, 72% of IT/security stakeholders are more careful.
From facial recognition to fingerprint scans, there are many ways to access our accounts safely, but the reality is that passwords are still the backbone of almost all authentication methods. While other authentication methods can be layered to reinforce IdM systems, we need to close the loop properly: by securing the password layer.
What are the Best Practices to Strengthen Password Security?
1. Address Common Vulnerabilities
Despite the re-education around “password” and “123456” not being strong passwords—individuals are still creating weak passwords, without knowing. They also then re-use those passwords all the time, often making small changes to a root word. These habits are pervasive and have rippling effects.
Once a user’s credentials have been stolen from one account, they are often distributed online, or sold to other cybercriminals. Credential data is a useful and tempting target, as cybercriminals know they can access personal information via individual accounts. Threat actors are also wise to the fact that many individuals re-use passwords across personal and professional boundaries, which makes it even easier to gain access to additional accounts.
2. Audit Passwords
A straightforward way to gauge the severity of the problem is to audit the passwords in use in your environment. There are several audit tools that make it easy for organizations to get a snapshot of their domain’s password security state, compared against the latest breaches and cracking dictionaries.
3. Stay Up to Date and Follow NIST and CISA Guidelines
NIST and CISA are both excellent resources for businesses to pull from. Among the most important tips from NIST when it comes to passwords are:
4. Screen for Compromised Credentials
This recommendation is also part of the NIST password guidelines, but it deserves its own emphatic bullet point. One of the best ways to protect your business and your users is to screen all passwords (as they are newly created and while actively in use) against dynamic lists of both dictionary words and known compromised passwords, on a continuous basis. Alerting users and IT teams when full sets of credentials have been compromised is extremely useful in protecting the company from a breach, and has the added benefit of reducing friction for the user.
While we can’t control user behavior, businesses can understand the reality of what’s happening, educate their teams, and put solutions in place.
Cybersecurity problems, and solutions, should be discussed in all industries and at levels of a business. A strong defensive stance is crucial, and strengthening password policies can protect companies and their employees, assist them in maintaining regulatory compliance, and reduce IT costs across the board. Identity Management Day is a perfect opportunity to bring this topic to the forefront.