IDSA report reveals that 96% of respondents think they could have prevented a breach by focusing on identity security
The Identity Defined Security Alliance (IDSA), a nonprofit that helps organizations reduce risk by providing education and best practices, just released a report on current trends in the state of identity management.
The research provides insight on how over 500 contemporary organizations with over 1,000 employees each are faring on their journeys to better identity and access management (IAM).
They begin by ripping a proverbial band aid off, revealing that:
- 84% of respondents said they experienced an identity-related breach in the past year
- And 96% said they could have prevented or minimized the breach by implementing identity-focused security outcomes.
While these numbers aren’t surprising, they are regrettable. Fortunately, however, 94% said identity investments are part of strategic initiatives-indicating that there is a growing awareness of the need for improved postures. Here’s what’s happening, and how Enzoic can help.
Bad Habits are Still Manifold
While topics like password hygiene are considered basic security, it’s often basic security that we still need to improve. Human error is often at the root of these issues, too. According to the 2022 DBIR, this year 82% of breaches involved the human element, whether it is the “use of stolen credentials, phishing, misuse, or simply an error.”
The IDSA report revealed similar findings. Out of the alarming 84% of respondents who experienced an identity related breach in the past year, many traced back to human error. Phishing attacks (where an employee may mistakenly fall for a well-disguised email scam), stolen credentials, password spraying, and many other identity-related attacks rely on users having weak and re-used passwords. A single set of compromised credentials can be the entry point for account takeover and malware deployment.
Bad password habits aren’t unique to employees, either. Even IT experts admitted to sharing credentials on third party apps, and to using non work-authorized devices to access work material.
In a similar vein, only 51% of respondents said they remove access for a former employee in a timely fashion — meaning that more people have access to more information for longer, and this means there are ongoing vulnerabilities.
And things are getting worse…
With additional identities come additional vulnerabilities. The overall number of identities in use is increasing, due in part to
- the expansion of cloud applications
- an increase in the number of remote employees
- an increase in third-party relationships
- and an increase in the number of machine identities, like IoT devices and bots.
Breaches are a cumulative threat that are exacerbated both by an increased number of identities, and poor habits that lead to preventable incidents.
…Including the impact of a breach.
Any kind of breach can be a damaging experience for an organization. Whether the result is the loss of personal data or millions of dollars, the impact is larger than companies realize: breaches are difficult to ‘bounce back’ from.
Long-lasting damage in the form of a loss of trust from stakeholders, or other reputational impacts, can impact a company long after they recover from the ‘actual’ costs of ransomware or replacing equipment. This means additional loss of revenue.
But Things Can Change!
According to the IDSA, those surveyed almost universally agreed (96%) that implementing a security outcome could have prevented or minimized a breach. This acceptance is a first step towards positive change.
There are efficient ways to improve your security posture- and with some tools you can do so practically overnight.
Just a couple months ago, the IDSA announced their “Identity Management Project of the Year” and awarded Enzoic’s customer West-Mark for the results of an initiative that eliminated compromised credentials from their environment. This was achieved by complying with NIST password guidelines, while also following additional guidance to eliminate forced periodic password resets, which had the added benefit of reducing user friction.
Scanning for compromised credentials is one of the most efficient ways to prevent credential-related breaches.
The IDSA also recommends implementing MFA, timely reviews of privileged access accounts, and adoption of the Principle of Least Privilege.
Another finding from their research was also about the impact that leaders can have on security. They found that when executives speak publicly to employees about password security, risky behaviors decrease.
Whether this is due to general awareness, or actual habit reformation, is unknown, but the data indicates that directives around securing compromised credentials must be seen as a priority for change to occur.
Overall, the report recognizes that most companies are not keeping up with the trends happening around them. IT professionals and executives need to invest both budget and time in finding solutions that protect their company, as soon as possible.