As reported in our 2021 Trends in Securing Digital Identities report, COVID-19 put the spotlight on identity security and provided the wake-up call that CISOs needed to elevate the role of identity in their security strategies. However, acknowledgement is not the same as action, and not long after our report was published, arguably the most impactful breach in history occurred, creating gasoline shortages on the east coast of the US. While the headline framed it as a ransomware attack, it was in fact rooted in compromised credentials from an inactive account. The situation stands as an example of how implementing basic identity and access management (IAM) best practices could have prevented a major incident.
The results of this year’s research, 2022 Trends in Securing Digital Identities, report that identity-related breaches continue to plague organizations, disrupting operations and impacting the business. Investments are being made in identity-centric security outcomes, but the basics are still lacking, including those that could have prevented the highest-profile attacks of 2021.
But the results are not all bad: security leaders have responded by making identity security a top priority, aligning identity investments with strategic initiatives and rallying executive leadership to speak publicly about password security with positive results.
Sponsored by the IDSA, the 2022 report is based on an online survey conducted by Dimensional Research. We surveyed more than 500 security and identity professionals from the United States who were directly responsible for IT security or IAM at a company with more than 1,000 employees. Each was very knowledgeable about both IT security and identities. Participants included a mix of company sizes, job levels, and industries.
To provide some trend analysis, some questions for this survey were pulled from last year’s report, 2021 Trends in Securing Digital Identities, as well as our research published in February 2021, Identity and Access Management: The Stakeholder Perspective, which focused on the non-IT audience.
How has identity security changed in the last year, and where are we headed?
Organizations are experiencing identity-related breaches that are preventable with the basics.
Identity-related breaches remain a continual threat to organizations, with 84% experiencing a breach in the last year versus the 79% that reported in 2021 that they had experienced a breach in the previous two years. Some might suggest that the increase is tied to the adoption of tools that provide better visibility and more rapid detection. Regardless, it’s clear that attackers continue to simply log in to get access to corporate systems and resources rather than use sophisticated hacking techniques.
When asked if the breach could have been minimized by identity-focused outcomes (as recommended by the IDSA), 96% said yes, with multi-factor authentication and more timely privileged access reviews overwhelmingly leading the way.
In our February 2021 report, Identity and Access Management: The Stakeholder Perspective, we asked about the timeliness in which organizations remove access for an employee who leaves the organization. Thirty-four percent of organizations reported removing access the day an employee leaves and 15% reported that they do so the day after. These were comparable to our findings for 2022, where a combined 51% (35% the day of, 16% the day after) did the same. This indicates that organizations are making progress in reducing the risk of unauthorized access through an inactive credential, but there is still work to do. Multi-factor authentication, the protection of privileged accounts, and automated de-provisioning are identity and access management best practices that have appeared on identity roadmaps for years.
The operational and business impacts are significant.
When an organization detects a breach, IT security teams immediately go into incident response mode. While the operational impact is more often immediately apparent, the business impact can sometimes take longer to manifest.
When asked how identity-related breaches impacted their organization in the past year, common responses included: malicious attacks on applications or systems (32%); a period where IT systems were unavailable or degraded (28%); and products, services, and solutions delivered by the organization being compromised (21%). Seventeen percent indicated they were a victim of a ransomware attack.
While the IT teams race to remediate the operational impacts, the executives are typically focused on mitigating the business impacts, which can be significant. Seventy-eight percent said they experienced a direct impact to business as a result of an identity-related breach.
Once considered an operational function, identity has made its way to a top 3 security priority for 64% of organizations.
It’s clear that the online world we were forced to embrace over the last two years is now the new normal. Organizations are shoring up the infrastructure needed to support a remote workforce for the long term. With those efforts, identity security has cracked the top 3 list of priorities in most organizations. Additionally, identity is now being considered an investment in strategic initiatives such as cloud, zero trust, and digital transformation.
Perhaps reducing the risk of an identity-related breach really is more about people than technology.
Not all security challenges require a technology solution. Users—regardless of the relationship to the organization—are both a threat (even if security professionals) and an opportunity. It’s true that weak, reused, and shared passwords, as well as phishing links and social engineering, are all relatively easy mechanisms by which an attacker can obtain a valid credential for unauthorized access. Even security professionals are guilty of poor identity hygiene: 60% in this year’s report versus 69% in the Stakeholder Report.
But behaviors can be influenced when leadership puts a focus on identity security, with 72% reporting that they take better care of their work passwords when a top business executive talks about the importance of password security. Perhaps it’s time to shift from users as an attack vector to users as the first line of defense.
While organizations are making progress in filling the gaps in capabilities, the challenges are expanding with more identities (98% are experiencing growth) and more identity types, including third-party and machines. Continued investment in identity-focused outcomes, including basic IAM best practices and executive leadership support, are going to make the difference in addressing the challenges of today and tomorrow.