Bottom Line: Enterprises need to develop a greater sense of urgency on identity security as 79% have had an identify-related breach within just two years.
Identities are the fastest growing and most vulnerable threat surface every organization has. A recent research study from the Identity Defined Security Alliance (IDSA) titled Identity Security: A Work In Progress provides valuable insights into how forward-thinking companies are succeeding at reducing the number of identity-related breaches. The study's methodology is based on surveys with respondents who are directly responsible for IT security or Identity Access Management (IAM) at companies with more than 1,000 employees across thirteen industries. Please see page 14 of the study for additional details on the methodology.
Key insights into the current state of identity security include the following:
Just 26% of enterprises say they are very confident they can thwart Identity breaches today. IDSA's research provides a stark wake-up call of just how challenging IT and cybersecurity leaders see protecting human and non-human identities are. 70% are somewhat confident they're able to stop an identity breach today. One of the factors undermining IT and cybersecurity leaders' confidence is not having IAM in place for human and non-human identities. Privileged Access Management (PAM) providers taking on the challenge of securing human and non-human identities include Centrify, whose approach to IAM is visionary in its ability to scale across human and machine-to-machine identity security.
- Enterprise IT and cybersecurity leaders are most confident they can stop a breach attempt based on privileged user access credentials – and least confident about stopping machine-to-machine and IoT-originated breaches. Enterprises are in a comfort zone when it comes to protecting human-based privileged access credentials versus the newer machine-to-machine and partner-based credentials that are difficult to defend against breaches. Confidence drops below 35% when IAM requires integration to software applications, partner networks, or machine-to-machine interactions. What this data says is that legacy approaches to IAM and PAM will slow down an enterprise's ability to grow by capitalizing on more machine and IoT-based transactions.
- 94% of enterprises have experienced an identity-related breach, amplifying how urgent it is for all businesses to protect human and non-human identity threat surfaces. The IDSA finds that identity-related breaches are ubiquitous across the industries and enterprises surveyed for their report. Outside the scope of the study, yet relevant to the pervasive nature of identity breaches, are how difficult they are to detect. IBM's 2020 Cost of a Data Breach Report found that, on average, it took an organization 206 days after initial intrusion first to identify a data breach and another 73 days to remediate it. Companies that were able to detect and contain a breach in fewer than 200 days spent $1.23 million less in breach costs. Enterprises need to consider how they can excel at stopping human and machine-to-machine identity breaches as the costs of breaches continue to escalate every year.
- Phishing and stolen credentials are responsible for the majority of identity-related breaches in the last two years. There has been a 667% increase in spear-fishing email attacks related to Covid-19 since the end of February alone. Microsoft thwarts billions of phishing attempts a year on Office365 alone by relying on heuristics, detonation, and machine learning, strengthened by Microsoft Threat Protection Services. Further supporting IDSA's findings is Forrester's finding that 80% of all hacking-related data breaches involve privileged access credentials. Centrify's Cybersecurity Evangelist and industry expert Dr. Torsten George provides valuable insights into how privileged access credentials can be made more secure in a recent interview, Dissecting The Twitter Hack With A Cybersecurity Evangelist.
- Identity security is still a work in progress or planning stages, according to IDSA's research. It's encouraging to see that 50% of enterprises surveyed have privileged access rights are granted according to the Principle of Least Privilege. Given that identities are the new security perimeter, least-privileged access having the highest percentage of adoption shows enterprises are adopting the Zero Trust Security framework. IDSA observes that two of the outcomes of expected user behavior for authentication and device characteristics for authentication are very effective thwarting phishing attempts yet are the least mature of outcomes today.
- 23% of enterprises define themselves as forward-thinking and are 30% ahead of their peers when it comes to achieving the outcome of privileged access rights granted, according to the Principle of Least Privilege. Forward-thinking enterprises are actively anticipating and planning for how they can prevent any unknown future risks. Forward-thinking enterprise's most significant lead is in the area of expected user behavior for authentication, a key outcome for thwarting phishing attacks.