This article is part of a VB special issue. Read the full series here: The CIO agenda: The 2023 roadmap for IT leaders.
One of CIOs’ most persistent challenges is motivating employees to be more consistent in securing their own devices and the company’s laptops, phones and tablets. With passwords increasingly proving inadequate in protecting enterprise accounts and resources, CIOs are fast-tracking single sign-on (SSO), multifactor authentication (MFA), adaptive access and passwordless authentication to secure accounts and networks. They are finding that innovation more effectively sells security awareness than simply requiring compliance.
Raising security awareness across an enterprise is a daunting task, however. CISOs tell VentureBeat that achieving a solid MFA adoption rate is key to retaining and growing zero-trust security budgets. It’s considered one of the quickest wins a CIO and CISO can get to defend, then grow their budgets.
CIOs also tell VentureBeat that driving security awareness of advanced identity management techniques and tools — including SSO, MFA, biometrics and the variety of passwordless authentication technologies they’ve piloted — is making progress. The goal is to protect every endpoint and identity across the corporate network, focusing on hybrid workers using their own devices.
Build security awareness with zero trust
CIOs and their IT teams can’t afford to spend much time deploying and managing multiple complex identity management systems with inconsistent track records. IT and security teams have for years tried to increase the adoption rate of legacy and challenging-to-use password and identity verification systems, but have yet to succeed.
Event
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
Watch Here
With more funding for zero-trust initiatives and training and development budget support, CIOs are launching awareness campaigns that center on the benefits of zero-trust security for employees at a personal and professional level.
Showing how their identities are the new security perimeter helps. One of the first topics CIOs cover in their security awareness programs is how critical it is to get zero-trust security at a personal level. Training stresses the fact that attackers want to steal the personal identities of as many employees as possible and defraud them at a personal level.
The most effective MFA and SSO techniques combine what-you-are (biometric), what-you-do (behavioral biometric), or what-you-have (token) factors with what-you-know (password or PIN code) authentication routines. Educating employees about protecting their identities using authentication technologies that include these three factors is consistent with zero trust and enforcing least privileged access on any device. MFA and SSO are the most dominant forms of identity-based security on internal and SaaS applications.
How CIOs are getting results
With the majority of enterprises either implementing or planning to implement it, MFA has become pervasive across enterprises. CIOs tell VentureBeat that pilot programs need quick wins to gain momentum internally and that sharing progress is key to keeping all employees engaged. Their advice on best practices:
Get C-level executives into pilots early, as attackers go after their accounts first
Having C-level executives involved in the initial pilot is crucial. Credential spraying and stuffing attacks, phishing and other social engineering-based attacks are still succeeding in tricking senior management into sharing privileged access credentials or providing access to corporate systems and servers.
C-level executives in crucial revenue, accounting and customer success roles are critical, as phishing and whaling attacks are increasingly targeting this group. Ivanti’s State of Security Preparedness 2023 Report found that C-level executives are at least four times more likely to be phishing victims than other employees. Nearly one in three CEOs and members of senior management have fallen victim to phishing scams, either by clicking on the same link or sending money.
The Ivanti study also found that C-level executives are the most likely to keep using passwords for years, creating a security risk.
“We know nearly all account compromise attacks can be stopped outright, just by using MFA,” said Karen S. Evans, managing director of Cyber Readiness Institute. “It’s a proven, effective way to thwart bad actors. All of us — governments, nonprofits, industry — need to do much more to communicate the value of MFA to small business and medium-sized owners.”
Design MFA and SSO into the best UX workflows
Another key lesson learned in improving identity-based security awareness is to design MFA and SSO into another process to improve the overall user experience. Having just a single MFA or SSO session for all enterprise systems is critical. MFA breaks down on mobile devices because the user experience is complex, and mobile security and authentication apps don’t adhere to consistent design standards.
Build MFA into simplified endpoint login workflows
An innovative approach to increasing identity-based cybersecurity awareness is building MFA into any endpoint’s login sequence. CISOs should partner with CIOs to make this process as transparent as possible.
Forrester’s report, The Future of Endpoint Management, provides insights and valuable suggestions on how CIOs and CISOs can collaborate to improve MFA and endpoint security. Report author Andrew Hewitt told VentureBeat: “The best place to start is always around enforcing MFA. This can go a long way toward ensuring that enterprise data is safe. From there, it’s enrolling devices and maintaining a solid compliance standard with the UEM tool.”
Look for new ways to minimize MFA and SSO impact and advertise them internally
CIOs advise that they have moved on to supporting USB and wireless tokens because they offer better user experiences during MFA login sessions than legacy systems requiring hardware tokens to generate a single-user password. Transitioning to phone-as-a-token methods is now a requirement to support hybrid workforces, CISOs tell VentureBeat.
Demonstrate security wins, including intrusion and breach kill rates
The critical lesson learned from CIOs’ experiences is to demonstrate these technologies to employees and actively provide ongoing updates. CIOs and CISOs should partner with each other and regularly hold lunch-and-learns and share their “kill rate” (how many intrusions and attacks they stopped using the combination of MFA and SSO technologies).
Using telemetry data across the hybrid network of remote users allows the team to see when a concerted attack has been launched across multiple threat surfaces simultaneously. They can identify how many intrusions they stopped and on which accounts. Often, the attack activity clusters around C-level executives and their immediate reports as attackers look to steal privileged access credentials they can use to log into enterprise systems immediately.
Adaptive access management tools are catching on in enterprises not bound by regulatory requirements
CIOs and CISOs tell VentureBeat that adaptive access management is a win for hybrid workforces who find legacy MFA systems cumbersome and time-consuming. Introducing the concept of adaptive access to a globally distributed workforce gets increased attention and raises awareness of the need to increase identity-based awareness.
Popular adaptive access solutions include conditional access in Microsoft Azure AD Premium. What makes adaptive access approaches attractive to hybrid workforces is how the technology considers a wide base of contextual data to identify the trustworthiness of a session. It alleviates the need to use passwords and MFA by instead using real-time risk scoring of each session.
Passwordless authentication is the innovation of identity-based security needs
Hybrid teams need a zero trust-based approach to passwordless authentication to stay secure. The goal is to ensure attackers can’t phish their way into senior executives’ accounts and steal their privileged access credentials.
Stopping privileged access abuse starts by designing a passwordless authentication system that is so intuitive that users aren’t frustrated using it while providing adaptive authentication on any mobile device. Ivanti’s Zero Sign-On (ZSO) approach to combining passwordless authentication and zero trust on its unified endpoint management (UEM) platform indicates how vendors respond. It uses biometrics, including Apple’s Face ID, as the secondary authentication factor for accessing personal and shared corporate accounts, data and systems.
Ivanti ZSO is a component of the Ivanti Access platform that replaces passwords with mobile devices as the user’s identity and primary factor for authentication. ZSO eliminates the need for passwords by using robust FIDO2 authentication protocols. CIOs tell VentureBeat that Ivanti ZSO is a win in terms of user awareness and adoption because any device can be secured, whether managed centrally or not.
Additional passwordless authentication providers include Microsoft Azure Active Directory (Azure AD), OneLogin Workforce Identity, Thales SafeNet Trusted Access and Windows Hello for Business.
Lead with innovative new solutions to gain mindshare
New, innovative identity-based security approaches help employees buy into new security initiatives. Consider how selling the benefits of adaptive access management or passwordless authentication compares to forcing employees into hours of online training that covers the benefits of a decades-old solution.
Go for the exciting aspects of identity-based security without using the fear of identity theft as a motivator. Instead, concentrate on how innovations in identity-based tools can serve them better by securing their personal and professional identities. Innovation — not requiring online learning of a system they’ve already used for years — is the answer.
