2023 marks the third celebrated Identity Management Day, established to raise awareness about the dangers of casually or improperly managing and securing digital identities.
Matt Rider, VP of Security Engineering EMEA at Exabeam, explains why this is so important: “Not only is credential theft responsible for some of the most prolific cyberattacks, such as the infamous 2020 Twitter hack, but it is also one of the most common and widespread forms of cyberattack. In fact, the 2022 Ponemon Institute State of Cybersecurity Report found that a staggering 54% of security incidents are caused by compromised credentials.”
It is of no surprise to businesses today that cybersecurity should be a top priority, with data breaches and cyberattacks in the news daily, and some of the UK’s top organisations, such as Royal Mail, falling victim. However, no matter how much time and effort is invested into data protection solutions, business leaders should never get complacent. “ Security risk vectors are dynamic and fluid, and as a result, data breaches continue to challenge even the most resilient of enterprise architectures,” warns Tom Ammirati, CRO at PlainID.
A common cause for credential theft is poor password hygiene; Node4’s Practice Director – Security, Andy Bates, points to recent survey “that revealed that 57% of people who have already been scammed in phishing attacks still haven’t changed their passwords, and 51% of people use the same passwords for both work and personal accounts.”
Ammirati at PlainID explains the risk of this in more detail: “When exposed passwords and identity credentials appear in password dumps, bad actors know that users are likely to have similar, if not identical, passwords across their accounts, whether they be for business or personal. Even if a password is different from the one exposed, bad actors and the AI technology they deploy can simply try variations until they gain access. Once they have entry into the organisation’s system, the attacker can move laterally, completely unnoticed, to access sensitive data, remove files or plant malware.”
Node4’s Bates recommends scheduling regular training sessions to remind employees of best practices: “Educating employees on what makes a strong password, the importance of changing it regularly (especially if it’s been compromised!), and how to spot and avoid phishing traps will make them your first line of defence rather than your weakest link.”
Invest in a technological ally
Implementing the right technological system can be a lifesaver, should human error occur. PlainID’s Ammirati notes that, “organisations are now implementing next-level technologies, processes, and policies to ensure that trusted identities have authorised access to digital assets. By ensuring that the ‘right’ users have access to the ‘right’ resources under pre-approved conditions, users attempting to access the network by force become more visible, and countermeasures can be put in place.”
Jasson Casey, CTO at Beyond Identity, takes this a step further and advocates for going passwordless: “Passwords – even those backed by ‘traditional’ MFA – are the single biggest vulnerability most organisations now have.
“Good MFA provides phishing resistance through the use of public/private key cryptography that binds the identity to a device and the user biometrics built into modern endpoints like phones and laptops,” he explains. “These passwordless, phishing-resistant factors are an important foundation for Zero Trust architectures. This modern, phishing-resistant authentication ensures a much higher level of trust in the user identity.”
Exabeam’s Matt Rider concludes that, “efforts such as Identity Management Day are so important. Not only does it provide the opportunity to raise awareness around the subject, but it also provides a space to educate the public on best practices.”