Taking place this year on Tuesday 13th April, the first-ever Identity Management Day has been created to raise awareness, educate and engage business leaders and IT decision makers on cyber security and identity management. Identity management ensures that the right people in an organisation have the appropriate access to technology resources. Prioritising identity security will help businesses reduce data breaches this year and beyond.
In light of this day, we have spoken with five cybersecurity experts to gain insight into why this day was created and to learn what businesses can do to evolve their security landscape and protect their organisation.
What is Identity Management Day?
This inaugural awareness day aims to highlight the importance of ensuring our digital identities are protected in the age of accelerated digital transformation. Anurag Kahol, CTO and Cofounder, Bitglass highlights how now that “many internet users [are] holding dozens of online accounts across various services, it has become more difficult for them to memorise numerous, complex passwords. Unfortunately, password reuse has become a common malpractice that increases the chances of account hijacking when one set of a user’s credentials are leaked. More than 80% of hacking-related breaches are tied to lost or stolen credentials and it is now self-evident that passwords alone are not enough when it comes to authenticating users.”
The evolving security landscape
Kahol believes that businesses and consumers both play a role in adapting to the changing environment.
“As the security landscape evolves, consumers and businesses must work together to ensure the privacy of corporate and personal data. To properly verify the identities of their employees and customers, companies must enhance their security protocols by establishing continuous, context-based security throughout the entire login experience. Solutions like multi-factor authentication (MFA) and single sign-on (SSO) don’t require users to remember countless passwords, while also mitigating the risk of account compromise. On a consumer level, users can safeguard their digital identity by educating themselves on the risks of password reuse, following cybersecurity best practices, and staying informed on rising threats. Because we now live in a time when our daily lives revolve around the internet and our various accounts therein, identity management awareness has never been more critical.”
The pandemic has further impacted this security landscape, and Tim Bandos, CISO, Digital Guardian believes businesses need to be able to support a long-term hybrid workforce going forward. “New research from Centrify showed that an overwhelming percentage (90%) of cyberattacks on cloud environments in the last 12 months involved compromised privileged credentials. Should a cybercriminal attain an employee’s credentials, they are able to log into their email, and then use that information to access more company services and applications – all with the company and victim being none the wiser. If the credentials entered are valid, the same alarms are not raised as when an authorised user attempts entry from the outside.
“This means Identity and Access Management (IAM) solutions will need to be front and centre during strategy discussions to ensure that the right employees have access to the correct resources with an appropriate level of privileges. Otherwise you run the risk of cybercriminals exploiting these weaknesses and your business ultimately becomes an embarrassing headline in the news; such as the recent breach at Verkada where credentials were compromised.”
Reflecting on the past year and protecting our future
The pandemic has accelerated the rise in cyber attacks targeting victims. Art Gilliland, CEO, Centrify discusses why it’s important to reflect on the changes we’ve seen over the past year and what learnings we should be applying to business IT strategies moving forward.
“In the last year, 90% of cyberattacks on cloud environments leveraged compromised privileged credentials. This alarming finding illustrates how cyber-attackers are easily accessing critical systems and sensitive data through improperly managed credentials — and leveraging identity sprawl across a threatscape expanded by digital transformation.
The reality is that these adversaries no longer ‘hack’ in – they log in, using stolen identities and weak or default credentials. Identity Management Day not only reinforces the need for good cyber-hygiene but also to use technology solutions available to vault, authenticate, manage, and secure privileged identities and access. Modern privileged access management (PAM) solutions based on Zero Trust principles can minimize shared accounts and allow human and machine identities to log in as themselves. These tools should automate privileged access controls, reduce administrative risk, and strengthen compliance postures to protect the keys to the kingdom.”
Bandosurges organisations to “look at where identity management and data security meet. First and foremost, developing a working relationship between data security and IAM teams is key. Furthermore, deploying data-aware cybersecurity solutions will significantly minimise the risks because even if an adversary has ‘legitimate’ access to data through stolen credentials, they are prevented from copying, moving or deleting it. Also, the roll-out of MFA is another component to fighting the growing tide of compromised credentials.”
How does Identity Management Day prepare businesses for this new environment?
The key to Identity Management Day is awareness. Ralph Pisani, President, Exabeam, agrees that in order to combat issues surrounding identity, awareness and enforcing cyber security best practices is crucial. “We strongly support efforts, like Identity Management Day, that raise public awareness and can help to combat this issue. We advocate for the best practices that ensure cyber hygiene and protect personal and professional identities and credentials to prevent credential-based attacks from continuing. Organisations across industries can invest in machine learning-based behavioural analytics solutions to help detect malicious activity. These analytics tools can immediately flag when a legitimate user account is exhibiting anomalous behaviour, providing greater insights to SOC analysts about both the compromised and the malicious user, which results in a faster response time.”
The day emphasises the importance of cyber hygiene to business leaders, and Gary Cheetham, CISO at Content Guru discusses how “security leaders simply cannot overlook the importance of educating the rest of your employees to keep the organisation watertight. Regular training on cyber security and the hygiene aspects using engaging and accessible resources is the best way to cultivate a highly secure workforce. Data is widely regarded as ‘the new oil’ – a comparison that highlights its value, both to businesses and to cybercriminals. And with recent research revealing that 90% of cyberattacks on cloud environments over the last 12 months involved compromised privileged credentials, identity and access management is a key area of concern for security professionals in 2021.”
Cheetham concludes: “On Identity Management Day, my one piece of advice above all else is to encourage your team to question anything that seems at all suspicious, to go with their gut instinct and to always be ready to ask for help.”