People—we are perhaps the most important and yet least secure part of the enterprise. Some social engineering is enough to undo the most comprehensive cybersecurity architecture. For business leaders, vendors, and consumers alike, IT security requires all of us to take stock of our roles in protecting systems and information.
This idea is the theme of this year’s Cybersecurity Awareness Month: See Yourself in Cyber. Every October, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) join forces with partners to stress the importance of staying safe online. At the Identity Defined Security Alliance (IDSA), we beat this drum often by pushing the importance of identity-centric security as threat actors continue to focus on credential theft.
This year, Cybersecurity Awareness Month will focus on four key actions everyone should take to improve security, some of which relate directly to identity.
- Enable Multifactor Authentication
- Use Strong Passwords
- Recognize and Report Phishing
- Update Your Software
At a time when the number of identities enterprises have to protect is increasing, organizations face additional pressure to implement strategies that will help prevent credential theft and make access and authentication decisions more intelligent. In our research, IDSA has found that the consequences of identity-related breaches can be severe, including direct business impacts such as revenue losses and reputational damage. With this reality as a backdrop, it should be no surprise that many organizations view managing and securing identities as one of the top priorities of their security program.
Password security is crucial to this, as while there is talk of organizations going passwordless, they remain ubiquitous. Bad practices such as weak passwords and using the same passwords across different services, sites, or applications, undermine security and make it easier for attackers to crack stolen passwords and expand their foothold. Much of the credential theft can be traced to phishing, though vulnerability exploits are still very much in vogue.
When it comes to defense, multifactor authentication (MFA) has long been viewed as a means of placing an additional barrier in front of attackers. However, as the recently reported Uber breach showed, even that can fall victim to social engineering schemes such as push notification attacks. Effective security strategy takes a layered approach, and the security outcomes we promote here provide that. From analyzing device characteristics as part of the authentication process to triggering re-attestation due to high-risk events, combining identity and security capabilities reduces the risk of breaches and failed audits.
It also needs to be noted that organizations have to protect customer identities as well, which comes with its own set of challenges. User friction, data privacy regulations, and the threat of a breach caused by account takeovers must be viewed through the lens of the customer journey with the goal of ensuring security is balanced with an experience that positively impacts customer retention. Security has to be a true enabler. Just as customers need to do their part by utilizing secure passwords and patching their devices, enterprises need to create an experience where customer identities and data are properly safeguarded against attacks.
As we highlighted during Identity Management Day, identity security is everyone’s responsibility. During October, IDSA will be hosting webinars featuring identity and security experts discussing the importance of identity-centric security strategies and how standards can help make us all more secure. You can register for these webinars here.
It is up to us all—enterprise leaders, consumers, employees, vendors, and partners—to recognize the role they have to play in protecting identities and data. While October may be the month we recognize cybersecurity awareness, it is a year-long task. To #BeCyberSmart, You Must #BeIdentitySmart, so let’s all use this time as a reminder to play our part in keeping our digital identities safe.