By Jeff Reich, Executive Director, Identity Defined Security Alliance (IDSA)
In my nearly five decades in the cybersecurity industry, I have seen countless security and risk situations. Many security practitioners believe we know what makes systems, security, and availability happen, and that’s true in many cases. However, there’s always more beneath the surface that we encounter daily.
Where are we?
As digital transformation accelerates, organizations face increasing challenges in protecting digital identities. For example, Zero Trust Architecture (ZTA) has been around for a while, yet most organizations have not implemented it. The Cybersecurity and Infrastructure Security Agency (CISA) has defined its Zero Trust Maturity Model with five pillars, the first being Identity.
At the Identity Defined Security Alliance (IDSA), we recently released our 2024 Trends in Identity Security report. The report confirms some expected trends and also new attention-grabbing data. Notably, 73% of respondents said that effectively managing and securing digital identities was among their top three priorities, up from 61% in 2023. This raises the question of what should be done to the remaining organizations not in that 73%.
One contributing factor to making this difficult to manage is identity sprawl. Think about the different ways you access systems and information at work and home. How many different accounts do you use at work? Is there one for your computer, another for your email system, your accounting system, and your HR system? Every access account that exists is an expansion of your attack surface, increasing the risk to you and your organization. Our research also revealed that over half (57%) of the respondents consider managing identity sprawl a major focus, yet roughly one-third track any costs associated with identity sprawl. There is a savings opportunity here.
Incidents are not free
We cannot ignore the direct and indirect costs associated with identity-related incidents. Almost every organization (90%) has encountered one or more identity-related incidents in the past year. These range from one compromised password to a full-blown ransomware incident that can disable an organization. Social Engineering still wins the day in this space, with phishing being the number one method. It’s alarmingly easy for anyone to click on an image or link in an email and introduce malware into their system. No other incident cause comes close to the more than two-thirds of them caused by phishing.
Notably, 84% of organizations say identity-related incidents directly impacted their business. These are not petty attempts at disruption; they affect everyone. Almost half had three or more incidents in the past year that required using their incident response plans.
Is the new technology helping?
On the upside, over two-thirds of respondents feel positive about passwordless authentication, and almost all respondents expressed their desire to implement phishing-resistant Multi-Factor Authentication (MFA).
On the subject of learning, the majority of respondents see Artificial Intelligence (AI) or Machine Learning (ML) playing a role in identifying outlier behavior and evaluating alert severity in their Security Operations Center (SOC). Movement in these areas is expected within the coming year.
What are we learning?
When asked, in retrospect, what could have avoided or reduced the impact of an identity-related incident, the top three responses were:
- Implemented MFA for all users
- More timely reviews of access to sensitive data
- More timely reviews of privileged access
Implementing these measures will not solve all problems, but they will eliminate or reduce many of them. They have become basic housekeeping. Having an incident without having implemented them increases the risk and puts the burden on you.
We can all work together to raise the tide of identity protection. Look at your digital environment and see what you can do to eliminate some of the multitude of identity-related incidents happening right now.