There have been a wealth of reports lately articulating the poor state of identity risk. We find these reports meaningful because they all make the same central point: identity risk is one of the biggest threats facing CISOs today.The most “show stopping” data points from these reports comes courtesy of Ping Identity, which found that 97% of organizations are challenged by identity verification. The company also found that only 45% are using multifactor authentication (MFA) to verify the identity of users. We’ve written at length, including in a recent blog post, about how not all MFA is equally adept at stopping identity-based attacks. Some MFA is phishing resistant, but other forms are susceptible to attacks. Using phishing-resistant MFA is the only way to achieve the primary objective: to stop identity breaches.Some of the other data and reports that we found particularly insightful about identity risk include:
- Machines are Over-Privileged — According to a report from Entro Security, 97% of non-human identities (NHIs) have excessive privileges. And, 92% of NHIs are exposed to third parties. Both can cause unauthorized access to systems and networks. This is an important consideration with the explosion of the internet of things (IoT).
- Employees Give Away Their Identities — The Identity Defined Security Alliance (IDSA) recently released a report that found that 89% of organizations are concerned about employees using corporate credentials on social media. Credentials reuse is a “no-no” in any security program, but it is a widespread practice nevertheless. The report also found that 89% of businesses are somewhat or very concerned that new privacy regulations will affect identity security.
- Identity Security is at the Root of Breaches — CyberArk reports that 93% of organizations had two or more identity-related breaches in the last year. The company also reports that organizations expect the number of identities to increase 3x in the next year. This report speaks to why identity security has become a top need for most organizations.
- Complexity Amplifies Identity Risk and Hurts Productivity — In a report from ConductorOne, 47% of respondents said that the complexity of existing systems is their top identity management problem. The second biggest challenge? Employee resistance to change. These go together, as 47% of respondents said that identity and access security policies hurt team productivity. Identity risk solutions need to increase rather than inhibit productivity.
- Identity Fraud is a Widespread Problem — In an effort to define the identity risk problem, Jumio reported that 68% of consumers have either been the victim of identity fraud or know someone who is a victim. This is a consumer report, but it shows the wide scope of the identity security issue.
- MFA is Still Struggling With Adoption — As we mentioned earlier, Ping Identity reported that only 45% of organizations use MFA to combat identity fraud. As we have noted before, most recently in a blog post, many implementations of MFA are not phishing resistant, so this statistic may understate the problem, since it does not delineate between different types of MFA.
- Identity Attacks Are Getting Worse — Expel reported that 69% of the security incidents its security operation center (SOC) investigated were identity-related. The company said this is a 144% year-over-year increase. Identity security is a problem that’s only continuing to get worse.
- Remote Workers Are a Challenge — Regula found that identity risk is a major problem with using “digital nomads” as contractors. Digital nomads are private people who work remotely, often changing their location frequently. In its survey, 40% of business decision-makers cited identity fraud as a primary challenge when it comes to working with digital nomads.
As we observe the 20th anniversary of Cybersecurity Awareness Month, the United States Cybersecurity Infrastructure & Security Agency (CISA) provides four elements to staying safe online:
- Use strong passwords
- Turn on MFA
- Recognize and report phishing
- Update software
Three of these elements speak directly to identity risk. One way to eliminate identity risk is to eliminate passwords completely by utilizing passwordless authentication.It's great that cybersecurity has an official month to increase awareness, but it should be a constant pursuit. The moment one lets their guard down, the second they will be breached. Unfortunately, “identity” has been largely operationalized—turned into an “operational efficiency” rather than a “security imperative.” In some cases, it’s been taken for granted and moved out of the purview of security teams entirely.This needs to change. For too long, identity has taken a back seat to other cybersecurity matters, but this current flood of reports, along with CISA’s guidance for staying safe online, shows that the time has come for identity risk programs to be re-evaluated. In the face of the damage being done by identity-based attacks, identity needs to be moved off the back burner and brought to the forefront. Identity security needs to improve – it’s the fastest way to turn the tables on the breach epidemic.