Dive Brief:
- Businesses are concerned about identity-based attacks and don’t think they fully understand their networks’ weak spots, according to a new survey from Cisco’s identity technology service Duo.
- Only one-third of business leaders are confident in the efficacy of their identity security solution, and 69% of leaders said they “lack full insight into identity vulnerabilities,” according to the report, which is based on interviews with 650 IT and security leaders in North America and Europe.
- Almost all respondents (94%) said the complexity of their identity management platforms (companies have roughly five on average) made it more difficult to secure those systems.
Dive Insight:
While software vulnerabilities remain a popular way for hackers to break into computer systems, many nation-state and cybercriminal groups make extensive use of identity-based attacks, where they steal user credentials and then use them to log into target networks by impersonating those users. (The SolarWinds campaign, for example, featured an even more elaborate identity-based attack that involved stealing a Microsoft authentication key to forge user access tokens. Identity security has quickly become one of the cybersecurity market’s most urgent and competitive segments.
But IT executives often design and build computer system infrastructures without fully considering identity security. Roughly three-quarters of respondents told Duo that the topic is “often an afterthought.”
As for the finding that nearly 70% of leaders aren’t sure how secure their identity platforms are, Duo said this could indicate serious deficiencies in their cybersecurity postures because “unseen identities and privileged accounts are high-risk blind spots.”
Todd Thiemann, a principal analyst at Omdia’s Enterprise Strategy Group, said visibility gaps represented “a significant identity pain point.”
“Getting visibility across a heterogeneous identity estate that can include on-premises, multiple clouds, and a variety of SaaS tools has been an ongoing enterprise challenge,” Thiemann told Cybersecurity Dive via email.
Those identity concerns balloon as companies integrate contractors into their networks. Nearly nine in 10 IT and cybersecurity leaders worry that their networks don’t have adequate security controls for contractors, while 57% have seen unauthorized access to their systems.
Businesses aren’t just failing to deploy sophisticated identity-management solutions. They are even lagging behind on basic security measures such as multifactor authentication, according to the report.
Nearly seven in 10 respondents reported being unsure that all of their devices and apps required MFA for logins. And while 87% of respondents are eschewing text messages in favor of phishing-resistant MFA, only three in 10 are confident that they have the right technology in place to block phishing attacks. More than half of surveyed leaders said the training requirements for advanced MFA solutions made them hard to deploy, while almost half of respondents cited the cost of hardware MFA tokens as a barrier.
There were scattered signs of improvement in the report, including Duo’s finding that 82% of financial executives “have increased budgets for identity security,” suggesting that the teams responsible for deploying those solutions “have momentum” on their side.
Source link
