Missed a session of MetaBeat 2022? Visit the on-demand library for all our recommended sessions here.
Check email at work at home, check email at work at home. Start Zoom meetings on phones, tablets, or personal laptops. Open messages (even if they are suspicious). Using the same passwords for work and personal emails and accounts (because it’s just much easier to remember them that way, right?).
[ Don’t miss VentureBeat’s special issue: How data privacy is transforming marketing ]
These all happen every day – millions and millions of times – all over the world. And it puts both the people and the organizations they work for at great risk.
To draw attention to this – and preferably action around it – this year’s theme Cyber Security Awareness Month is “See Yourself in Cyber.” Hosted by de National Alliance for Cyber Security (NCI) and running through October, the event highlights four key practices: enabling multifactor authentication (MFA), using strong passwords and a password manager, updating software, and recognizing and reporting phishing.
Event
Top with little code/no code
Join today’s leading executives at the Low-Code/No-Code Summit virtually on November 9. Register for your free pass today.
Register here
“Not all security challenges require a technology solution,” said Julie Smith, executive director of the Identity Defined Security Alliance (IDSA). “The biggest security challenges are almost always people.”
The human problem
It is becoming increasingly clear that human behavior is responsible for most cybersecurity problems: 95% according to the World Economic Forum; 82% according to Verizon’s 2022 Data Breach Investigation Report.
The IDSAs 2022 Trends in Securing Digital Identities The report found that 84% of organizations experienced identity-related breaches in the past year. Of them, 96% reported that the breaches could have been prevented or minimized simply by implementing identity-focused tools such as MFA and privileged access reviews.
“It’s clear that hackers continue to use the simple login to access company data rather than deploying sophisticated techniques,” Smith said.
Just look at the recent Uber Incident which granted “full access” to a hacker who had successfully abused a contractor’s two-factor authentication. The hacker posted to a company-wide Slack channel and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites, the company said.
This is just one of many examples. “We’re all familiar with headline breaches like Colonial Pipeline and SolarWinds, which demonstrated the consequences of a lack of identity security,” Smith said. “Weak passwords, orphaned accounts and a lack of MFA have all contributed to these attacks.”
The consequences of identity-related breaches can be serious; think of large-scale disruptions, loss of income, reputational damage, even prosecution. In fact, 2021. of the World Economic Forum Global Risk Report views cyber-attacks as one of the top three threats of the decade, alongside weapons of mass destruction and climate change.
“Given the massive impact an identity breach can have, the best way to prevent the next main breach is to implement basic identity management practices,” Smith said.
Identity security: everyone’s priority
This may be simple, Smith said, but most organizations just don’t know where to start.
First, it’s important to evaluate the current state of your organization’s security to build a roadmap, Smith said. And while they have unique security challenges and current situations, all organizations should consider these core features:
- deploying MFA for all users.
- Stay tuned for privileged access reviews.
- Immediately revoke access for high-risk or orphaned identities.
- Use device attributes for authentication.
- Evaluating user behavior to detect abnormal activity.
To help organizations get started, the IDSA offers: Guides and best practices and identity-defined security outcomes and approaches to break down. The non-profit organization that hosts Identity Management Day with the NBA, also offers a vendor neutral toolbox in conjunction with Cybersecurity Awareness Month, and will be a webinar on October 27 on B2B identity challenges.
“Identity security is everyone’s responsibility: we all have a role to play in protecting identities and data,” Smith said.
Whether you’re a partner, consumer or employee, you’re part of a “dynamic digital environment” made up of endless devices, applications and endpoints, she explains.
“This creates a dissolving perimeter that can be more easily exploited when protected by traditional solutions,” she said.
Knowing is the first step
On the employee side, there are two key points to consider, said Sophat Chev, chief security adviser at IT service management firm. One converge.
“Number one, think before you click,” he said. “If something seems suspicious, follow your instincts and pause.”
That moment can be the difference between a good day and a bad day when it comes to responding to an incident. But also use that pause to evaluate whether the suspicion should escalate.”
Number two? “You know whether you’ve been violated, or you don’t know,” Chev said.
All too often, organizations rely on events or alerts to launch an investigation. Instead, they should give their end users the opportunity to self-assess and voice any suspicions they may have. They open themselves up to exploitation if they don’t have a platform that confirms through multiple checks that someone is who they say they are.
Organizations should conduct an audit to limit access rights and end-user needs, Chev said. This reduces the chance that an attacker will use accounts for higher privileges, which are often required for administrative access to sensitive servers and applications.
Ultimately, “you can’t protect what you can’t see,” Chev said. “Where data has now become a critical asset, it is vital to document and know where all your sensitive data resides. Knowing is the very first step to any data protection strategy.”
Security of all identities — human and non-human
The important thing is to continue the conversation after Cybersecurity Awareness Month and other events, and move on to actionable steps, Smith said.
“Even though October may be the month where we pay particular attention to cybersecurity awareness, it really is a year-round task,” she said.
She pointed out that IDSA’s report found that 60% of IT/security stakeholders admit to engaging in risky security behaviors. “The majority of us deliberately engage in risky behavior and fall short of basic cybersecurity practices,” she said.
Continued investment is needed in identity-driven outcomes, including core IAM best practices and executive leadership support. Management teams must embrace identity security as part of their corporate culture; this can help make identity security a strategic and integral part of their business, she said.
For example, the IDSA found that 72% of organizations whose top executives speak about password security said they are more careful with their work passwords than with their personal ones. Encouragingly, identity is a top 3 security priority for 64% of organizations, and identity security investments are becoming a focal point.
This is especially important with the emergence of non-human identities, for example machine identities such as bots and service accounts.
“We need to think about the lessons and strategies we’ve learned from securing human identities and implement them to secure machine identities,” Smith said. “Otherwise, every time a new type of identity pops up, we inevitably make the same mistakes.”
The mission of VentureBeat is a digital city square for tech decision makers to learn about transformative business technology and transactions. Discover our briefings.