Cybersecurity Awareness Month, hosted by the National Cybersecurity Alliance and Cybersecurity and Infrastructure Agency was an opportunity for all of us to take stock of our role in protecting our digital ecosystem. Whether acting as consumers or employees or partners, our on-line behaviors matter. A reused password or clicking on a suspicious link can wreak havoc in our individual lives, but it can also be an opportunity for a cyber attacker to get a foothold inside a corporate network. So, while October may be the month we recognize cybersecurity awareness, it must become a focus every day.
The Identity Defined Security Alliance focuses year round on educating the IT community on the importance of securing digital identities, given that most breaches can be tied back to compromised credentials. With 84% of organizations experiencing an identity-related breach in the last year, we have often said that to #BeCyberSmart, you must #BeIdentitySmart. But what does that really mean for individuals and organizations, and what are the actionable steps you can take?
The National Cybersecurity Alliance recommends the following for individuals:
- Enable Multifactor Authentication – add an additional layer of security to all your accounts.
- Use Strong Passwords and a Password Manager – use long, unique, and complex passwords and a password manager to protect them.
- Recognize and Report Phishing – think before you click a link in your personal and work emails.
The IDSA recommends the following for organizations:
- Clarify Ownership of ALL Identities – identify the individual responsible for an identity (human and non-human) throughout its lifecycle.
- Establish Unique Identifiers – give every identity (human and non-human) a permanent and unique identifier.
- Authoritative Source of Trusted Identity Data – establish one source for all identities and their attributes.
- Discovery of Critical and Non-critical Assets and Identity Sources – know your assets and where they are located.
- Privilege Access Management – protect your most sensitive assets and your most sensitive identities.
- Automate Provisioning/De-provisioning – giving and removing access should be timely and automatic.
- Focus on Identity-Centered Security Outcomes – implement critical capabilities such as MFA for all identity types and timely privileged access reviews.
- Establish Governance Processes and Program – put in place a cross-functional team to ensure the IAM program is effective and successful.
Our research, 2022 Trends in Securing Digital Identities provides a wealth of information on where organizations should focus. There is no doubt that identity-related breaches continue to plague organizations with significant business impacts, but investments and executive leadership support are making a difference. Plan your 2023 with these things in mind. Emphasizing identity best practices to your employees, partners and customers is critical to a stronger security posture and stronger ecosystem. We look forward to rallying the community to create awareness about this important topic next Identity Management Day on April 11th, 2023, but in the meantime, hear from identity and security experts on what #BeIdentitySmart means for them.
The French philosopher Rene Descartes is credited for stating ‘Cogito, ergo sum.’ In English, it translates into ‘I think, therefore, I am.’ This quote implies you have an Identity. Intelligence, or being ‘Smart’, is another attribute that we credit to Descartes. If you can think and perform deduction, there must be some form of intelligence driving that conclusion. To #BeIndentitySmart marries the concepts of individuality, identity, and intelligence. We need to consider that all living things have an inherent trait for self-preservation, and that, as intelligent individuals, we will protect ourselves from harm, regardless of whether it is physical, emotional, or informational. The latter forms the communication for awareness. #BeIdentitySmart with your information and protect who you are from threats.
– Morey J. Haber, Chief Security Officer, BeyondTrust
No matter how strong your organization’s password policies and awareness efforts are, they won’t be enough to defend your organization against identity-based attacks on their own. These types of attacks are growing, and passwords are continuing to fail. To #BeIdentitySmart, a broader approach is in order. It’s not so much about stopping attackers from getting in anymore; it’s about making it very difficult for them to move around the network without raising red flags and creating so much noise that they become easier to spot and block.
– David Higgins, Senior Technical Director, CyberArk
Over the past year, I’ve seen a call for convergence throughout the identity and security industry. Organizations are struggling to find the right balance between sustaining existing identity-based processes and addressing new types of identities, such as IoT and machine identities, that have come into the IT environment with the acceleration of digital transformation. That is why, to me, #BeIdentitySmart means looking for ways to consolidate technology and processes to ease the identity management and governance burden.
– Paul Mezzera, VP of Strategy, Saviynt
Being “identity smart” means different things for different people. For me, it has meant two things. In my role as an IT administrator, it means being properly sensitive towards everything around my corporate identities and the proper awareness that I must do everything necessary to protect them. In a world where the bad guys are breaching my first line of defense – typically, my endpoints – with ease, I must put a focus on protecting my identity systems – typically Active Directory or Azure Active Directory – as those will be next in line for the intruders. And as a user, being “identity smart” means being aware that cyber attackers are after my identity and thinking twice before clicking dubious links or passing on sensitive information about myself in social media.
– Guido Grillenmeier, Chief Technologist, Semperis
Cyber criminals that prey on human error are one of the biggest vulnerabilities organizations face. Legacy multi-factor authentication, that relies on phishable passwords, one-time passcodes, and secret questions, is easily susceptible to sophisticated cyberattacks and cannot securely safeguard organizations. Human Factor Authentication – the combination of passwordless authentication and cloud biometrics – provides the highest level of security and identity assurance. By eliminating passwords and leveraging human-centric authentication, businesses can combat cyberattacks that exploit human behavior, taking an identity smart approach towards a zero trust architecture that protects their valuable assets, workforces, and customers.
– Tom Thimot, CEO, authID
With the accelerating adoption of hybrid cloud, remote workforce and digital transformation, identity has quickly become the new perimeter of security. Understanding of your WHY is important to formulate the right strategy in your identity program. As you must understand that identity security is not a one-time project; it is a journey. A journey that includes a series of initiatives that are incorporated with strategy, capabilities, vision, people, process, and technology to continuously addressing the ever-changing identity landscape in the business.
– Jason Lim, CEO and founder, CYDENTIQ
Organizations are faced with a vast range of identity issues in the cloud. One that hasn’t received as much attention, but frankly needs to, is how to manage and secure identities such as secret keys, serverless functions and virtual machines. These non-human identities will dominate IT environments in the coming year and can be easily exploited by hackers without your security or cloud teams ever knowing. This is the kind of security gap that should keep CISOs up at night.
– Brendan Hannigan, CEO and co-founder, Sonrai Security