It's time to wake up to the cyber security identity crisis
Cyber crime is on the rise, posing a major threat to UK businesses. As new research suggests tens of thousands of mobile gadgets and tablet devices are going missing every year, Barry Scott, Chief Technology Officer at Centrify issues a stark warning on the threats identity fraud poses to companies
The tidal wave of increasingly ruthless cyber-attacks has already claimed a long list of casualties. Whether the target is a corporation, consumers, charities or critical national infrastructure, it’s clear that no one is safe. Barely a day goes by without a major new breach splashed across the national and international press.
High profile targets like Yahoo, Uber and Equifax still struggle to separate their image from the security breaches which defined them. The UK government is working hard to raise awareness of the risks cyber attacks pose to businesses large and small, but the problems continue.
With these incidents in mind, it’s unsurprising that cyber security spending is rocketing with Gartner estimating spending to reach $96B USD this year. The issue will continue to keep CEOs and business leaders awake at night, but as with all IT threats, the nature of the beast keeps changing.
Research published recently from the Parliament Street think tank revealed that over 26,000 electronic devices were discovered on tubes, trains and buses across London’s transport network in the last financial year. This is only the number of devices that were handed in to the lost property office by honest commuters – just imagine how many more were stolen on the transport system and never returned.
Most of these were mobile phones, many of which were either company-issued devices or personal devices used to access the corporate network. This raises greater cyber security concerns when considering that breaches exploiting identity are on the rise and many businesses are largely unaware of the threats these incidents pose to their organisations.
The experts could not be clearer on the dangers of this issue. Research contained in the Verizon 2017 data breach investigations report has suggested that 81 per cent of security breaches involve weak, default or stolen passwords. Analyst firm Forrester says that 80 per cent of breaches involve privileged credential misuse. Yet market reports suggest that less than 10 per cent of total corporate cyber budget is being earmarked for identity and access management solutions.
This is despite an explosion of mobiles, tablets and wearable devices becoming increasingly used in the workplace, which is frequently no longer inside of four walls and behind a firewall. Tackling this problem is no easy task, but there are a series of clear steps that security professionals and business leaders can take to protect the organisation from harm. With the sharp rise of mobile devices, identities are frequently used on multiple devices and likely in multiple locations.
Therefore every user needs to be verified, and every device needs to be validated. Solutions such as single sign-on and multi-factor authentication can help ensure identity and access protection, but the challenge is to do so without stretching worker patience by creating friction between people and what they need to get the job done.
It’s also vital to manage privilege, by ensuring that employees have only minimal required access to levels of information relevant for their role and level of seniority. Implementing Privileged Access Management reduces the risk of security breaches by minimising the company’s attack surface with a least-privilege approach, both on premises and in the cloud.
The right privilege solution allows you to consolidate identities, deliver cross-platform, least-privilege access and control shared accounts, while securing remote access and auditing all privileged sessions. Above all, companies need to adopt a fresh approach to identity security by assuming that every user is a potential threat. The harsh reality is that the best way to protect the company from identity-related breaches is to treat everyone as untrusted.
Out with the ‘trust, but verify’ approach, and in with the new mandate: ‘never trust, always verify.’ That’s the foundational principle of Zero Trust Security. The mobile-first, cloud-first trend will continue in business, just as surely as mobile devices will continue to be lost or stolen. Hackers no longer break their way in, they log in.
Organisations should be thinking about ways to close identity and access weaknesses with Zero Trust Security before they become the next data breach headline.
Barry Scott is CTO EMEA at Centrify
We are wholly dependent on the kindness of our readers for our continued work. We thank you in advance for any support you can offer.