More than 80% of organizations have experienced an identity-related breach that involved the use of compromised credentials, half of which happened in the past 12 months, according to Silverfort and Osterman Research.
Lack of visibility into the identity attack surface
Furthering the challenges for CISOs is a continual misalignment between security and identity teams. Visibility into the identity attack surface continues to be insufficient, leaving organizations exposed to bad actors who can access their environments, move laterally inside their networks, and wreak havoc in minutes.
Protecting the identity attack surface – which extends far beyond traditional identity access management tools – is the last line of defense in detecting and preventing such threats in real-time.
65% of organizations have not implemented MFA comprehensively enough to provide sound protection. In addition, only 10% of organizations have fully deployed PAM and have high confidence in its ability to prevent malicious use of privileged credentials due to the notorious complexity of implementing such solutions at scale.
Real-time protection is missing
94% of organizations do not have full visibility into their service accounts (non-human identities), making these highly vulnerable and often privileged identities a prime target for attackers. 78% of organizations admit that they cannot prevent the misuse of service accounts in real time, due to low visibility and inability to enforce MFA or PAM protection.
Only one in five organizations are highly confident that they could prevent identity threats. Very few organizations are confident they can stop malicious access or lateral movement using compromised credentials.
“Today’s organizations are challenged with securing many different ‘silos’ of digital identity across complex hybrid and multi-cloud environments. Each of these environments has different identity security controls, which don’t work together and result in partial security, inconsistent user experience, and redundant costs,” said Hed Kovetz, CEO of Silverfort.
“In addition, some of the most critical systems in every company don’t have identity security available at all, and bad actors know it. This new research emphasizes that organizations need to rethink how they implement identity security, and develop a strategy that covers the entire identity attack surface – including human and non-human identities, privileged and non-privileged users, on-prem and cloud environments, IT and OT infrastructure, and many other areas that they didn’t previously manage to protect,” concluded Kovetz.