Making Progress and Losing Ground


As an industry and a society, we are finally making progress in protecting both our digital and physical identities. The good news is that many people are now aware of Multi-Factor Authentication (MFA), understand the need for strong passwords, and have access to numerous tools that support identity security.

Think of this discussion like a well-known sandwich. We started with some positive news and, I promise, we’ll end with some good news too. But let’s delve into the middle part—the challenges we still face.

Ransomware continues to grow at a remarkable rate. Although we may not see as much publicity of these attacks as we once did, the scale of instances is growing. And one of the key factors is that the bad guys no longer have to write ransomware code, it’s readily available as a service. The ease-of-use and availability of ransomware today is extremely concerning.

Cryptocurrency payments are estimated to have grown, with over $1 billion equivalent paid in 2023. Expand this to supply-chain attacks and that footprint becomes unmanageable. Every year, the Identity Defined Security Alliance conducts a research survey on trends in identity security.

While MFA, one-time verification codes, and hardware tokens are effective, people often suffer from authentication fatigue. Companies may be hesitant to turn on MFA to avoid increasing friction for employees and consumers. We need to focus on improving the interoperability and portability of identities, which can reduce the scope of the problem to a manageable size.

One major challenge in identity management is identity sprawl. Of the organizations we surveyed, 93% are actively taking steps to manage identity sprawl. The proliferation of cloud SaaS services has increased productivity, and it also creates a new identity or account with each service. This forces a choice between managing each of them uniquely or lowering your security profile and managing all of them in the same way. The explosion of identities costs more than we realize. Only 15% of organizations track specific metrics of cost per identity by customer or employee type and need. Unchecked identity sprawl leads to higher costs and greater security exposure.

This year an astonishing 84% of identity stakeholders said identity-related incidents directly impacted their business. The primary cost was a distraction from their core business to address the incidents. Nearly the same percentage indicated that costs to recover from an incident had a significant impact.

While we’re in the middle of the sandwich, let’s focus on the main ingredient: phishing-related attacks. These attacks account for nearly double the impact of any other incident type. We all have moments of distraction when we click on a link without thinking, and that’s when these attacks happen.

Let’s add some dressing to this sandwich and top it with the other slice of goodness. In the recent survey, 73% of respondents indicated that effectively managing and securing digital identities is among their top three priorities. This shows we’re moving in the right direction.

An impressive 97% of respondents have an incident response plan and most have had to use it more than once in the past year. While 3% is small, it’s still too many. Having a plan is crucial because although you can’t stop every attack, you can be prepared to respond effectively.

I’ll leave you with two key facts. First, 93% of identity stakeholders said that security outcomes could have reduced the business impact of incidents. Even more encouraging, 99% of businesses reported they are planning to further invest in security outcomes over the next 12 months.

We are making good progress in protecting our identities. Despite challenges like identity sprawl and increasing attacks, it may feel like we are losing ground, we just need to run a little faster to stay ahead of the curve.

About Jeff Reich

Jeff Reich has been the Executive Director of the Identity Defined Security Alliance since 2023 and has been actively involved in the security and identity community for five decades. He is a well-known advocate for cybersecurity awareness and education. He joined IDSA from the Cloud Security Alliance. Before CSA, he created and built the security and risk functions at ARCO, CheckFree, Dell, and Rackspace. Jeff did the same at multiple financial services companies and five startups. He has received numerous accolades and certifications as a cybersecurity expert and industry leader, including CISSP certification from ISC2 in 1993, and the ISSA Distinguished Fellow designation in 2011. In 2015, Jeff was inducted into the ISSA Hall of Fame. Jeff can be reached online at https://www.linkedin.com/in/jreich/ and https://www.idsalliance.org/.



Source link