The number of security breaches stemming from stolen or compromised identities has reached epidemic proportions, according to new data from the non-profit Identity Defined Security Alliance (IDSA).
The IDSA polled 500 US identity and security professionals to compile its 2022 Trends in Securing Digital Identities report.
It found that 84% had experienced an identity-related breach in the past year, with the vast majority (78%) claiming it had a direct business impact.
Part of the problem is the soaring volumes of identities being created every day in the corporate world. Almost all respondents (98%) reported that the number of identities is increasing, primarily driven by cloud adoption, third-party relationships, and machine identities, including bots and IoT devices.
Poor security practice is often to blame for incidents. Although half (51%) of respondents said they typically remove access for a former employee within a day, only 26% always do, according to the report.
Employees are often the weakest link in the security chain, even those that should know better. Some 60% of IT/security respondents claimed that they engage in risky security behavior.
In a world where multi-factor authentication (MFA) is still not universal , and the traditional network perimeter has eroded, capturing credentials and compromising identities becomes even more valuable to attackers.
Fortunately, organizations seem to be getting the message. Nearly all respondents (97%) claimed they’re planning to invest in “identity-focused security outcomes,” and 94% said identity investments are part of strategic initiatives, including cloud adoption (62%), Zero Trust implementation (51%) and digital transformation initiatives (42%).
The report highlighted some simple steps that organizations could undertake to improve security outcomes. It revealed that 72% of respondents are more careful with their work passwords than personal passwords when executives discuss corporate credentials, for example.
Phishing hit an all-time high in the first quarter of 2022, according to the Anti-Phishing Working Group (APWG).