Did you miss a session from MetaBeat 2022? Head over to the on-demand library for all of our featured sessions here.
Checking work email at home, home email at work. Launching Zoom meetings on phones, tablets or personal laptops. Opening messages (even if they’re suspicious). Using the same passwords across work and personal emails and accounts (because it’s just way simpler to remember them that way, right?).
These all happen every day — millions upon millions of times — all around the world. And it puts both people, and the organizations they work for, at significant risk.
To draw attention to this — and, ideally, action around it — the theme of this year’s Cybersecurity Awareness Month is “See Yourself in Cyber.” Hosted by the National Cybersecurity Alliance (NCI) and taking place through October, the event emphasizes four key practices: enabling multifactor authentication (MFA), using strong passwords and a password manager, updating software, and recognizing and reporting phishing.
“Not all security challenges require a technological solution,” said Julie Smith, executive director of the Identity Defined Security Alliance (IDSA). “The greatest challenges to security are almost always people.”
Join today’s leading executives at the Low-Code/No-Code Summit virtually on November 9. Register for your free pass today.
The human problem
It’s becoming increasingly clear that human behavior accounts for the majority of cybersecurity issues: 95% according to the World Economic Forum; 82% per Verizon’s 2022 Data Breach Investigations Report.
The IDSA’s 2022 Trends in Securing Digital Identities report found that 84% of organizations experienced identity-related breaches in the last year. Among those, 96% reported the breaches could have been prevented or minimized simply by implementing identity-focused tools like MFA and privileged access reviews.
“It’s clear that hackers are continuing to utilize the simple login to access corporate data rather than deploying sophisticated techniques,” said Smith.
Just look to the recent Uber incident that granted “full access” to a hacker who successfully exploited a contractor’s two-factor authentication. The hacker posted to a company-wide Slack channel and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites, according to the company.
This is just one of numerous examples. “We are all familiar with headline breaches such as Colonial Pipeline and SolarWinds, which demonstrated the repercussions of a lack of identity security,” said Smith. “Weak passwords, orphaned accounts and a lack of MFA all contributed to these attacks.”
The consequences of identity-related breaches can be severe; think: large-scale disruptions, revenue losses, reputational damage, even prosecution. In fact, the World Economic Forum’s 2021 Global Risks Report ranks cyberattacks as one of the top three biggest threats of the decade, alongside weapons of mass destruction and climate change.
“Given the vast repercussions that an identity breach can impose, implementing basic identity management practices is the best way to prevent the next headline breach,” said Smith.
Identity security: Everyone’s priority
This can be simple, said Smith — but most organizations just don’t know where to begin.
First, it’s important to evaluate the current state of your organization’s security to create a roadmap, said Smith. And, although they have unique security challenges and current situations, all organizations should consider these core functions:
- Deploying MFA for all users.
- Staying on top of privileged access reviews.
- Revoking access immediately for high-risk or orphaned identities.
- Using device characteristics for authentication.
- Evaluating user behavior to detect abnormal activity.
To help organizations get started, the IDSA provides guides and best practices and an identity-defined security outcomes and approaches breakdown. The nonprofit, which hosts Identity Management Day with the NCA, is also offering a vendor-neutral toolkit in conjunction with Cybersecurity Awareness Month, and will host a webinar on October 27 on B2B identity challenges.
“Identity security is everyone’s responsibility: We all have a role to play in protecting identities and data,” said Smith.
Whether a partner, consumer or employee, you are a part of a “dynamic digital environment” comprising endless devices, applications and endpoints, she explained.
“This creates a dissolving perimeter that can be exploited more easily when protected by traditional solutions,” she said.
Knowing is the first step
On the employee side, there are two important points to consider, said Sophat Chev, chief advisor of security at IT service management company, ConvergeOne.
“Number one, think before you click,” he said. “If something seems suspicious, follow your gut instincts and pause.”
That moment can be the difference between a good and a bad day when it comes to responding to an incident. But, also use that pause to evaluate whether to escalate the suspicion.”
Number two? “You either know you’ve been breached, or you don’t,” said Chev.
All too often, organizations rely on events or alerts to begin an investigation. Instead, they should enable their end users the ability to self assess and raise any suspicions. They open themselves up to exploitation when they don’t have a platform that confirms whether someone is who they say they are through multiple checks.
Organizations should conduct an audit to limit access privilege and end-user need, said Chev. This will reduce the likelihood of an attacker leveraging accounts for higher level privileges, which is often required for admin access to sensitive servers and applications.
Ultimately, “you can’t protect what you can’t see,” said Chev. “Where data has now become a critical asset, it is vital to document and know where all your sensitive data resides. Knowing is the very first step to any data protection strategy.”
Securing all identities — human and non-human
Most importantly is to continue the conversation beyond Cybersecurity Awareness Month and other events, and shift into actionable steps, said Smith.
“While October may be the month we pay particular attention to cybersecurity awareness, it really is an all-year-long task,” she said.
She pointed out that IDSA’s report found that 60% of IT/security stakeholders admitted to risky security behaviors. “The majority of us knowingly partake in risky behaviors and fall short on basic cybersecurity practices,” she said.
There must be continued investment in identity-focused outcomes, including basic IAM best practices and executive leadership support. Management teams have to embrace identity security as a part of their company culture; this can help make identity security a strategic and integral part of their business, she said.
For instance, the IDSA found that 72% of organizations whose top-level executives speak about password security said that they are more careful with their work passwords than their personal ones. Encouragingly, identity is a top 3 security priority for 64% of organizations, and identity security investments are becoming a focal point.
This is particularly important with the emergence of non-human identities — machine identities such as bots and service accounts, for instance.
“We need to think about the lessons and strategies we’ve learned from securing human identities and implement these to secure machine identities,” said Smith. “Otherwise, every time a new type of identity emerges, we’ll inevitably make the same mistakes.”