Last fall we published our first research, the results of a survey of 511 security leaders, to get their perspective on identity, including importance and organizational challenges that might create added risk. We found explosive growth of identities in the last five years (half of the companies experienced five-fold growth in the past 10 years) and organizational disconnects (ownership, budget, skills and collaboration) around managing identity were clearly putting organizations at risk. In the study, security teams indicated they were worried about a range of potential identity-related security incidents, including phishing (83%), social engineering (70%), compromised privileged identities (64%), and more.
Today we published our latest research, Identity Security: A Work in Progress , which is based on an April survey of 502 qualified individuals – all directly responsible for IT security or IAM at a company with more than 1,000 employees and knowledgeable about both IT security and identities. Our latest study set out to better understand identity-related breaches. Do organizations behave differently post-breach? Are some organizations less vulnerable than others? Does a focus on identity-related security outcomes make a difference?
Identity-related breaches are ubiquitous
As it turns out, security leaders are justified in their concern that they are susceptible to identity-related breaches. We found that identity-related breaches are ubiquitous, with 79% having had an identity-related breach within the past two years. And as the security leaders in the December survey suspected (see stat above), the leading cause of an identity-related breach in these organizations is phishing, affecting 66% of organizations in the last two years. With the disruption and chaos of Covid-19, the cyber criminals are taking advantage of the situation and phishing is more prevalent than ever.
Phishing presents a significant challenge for security leaders – of companies breached, 71% surveyed said the attack could have been prevented through better security awareness training. The bad guys are getting better at targeting users and creating legitimate-looking emails/websites, but are users getting better at spotting them? Is it really possible to control human behavior? As the saying goes, it’s not IF you get breached, it’s a matter of WHEN. Would companies be better served to shift some investment from security awareness training, to implementing mechanisms that prevent the use of stolen credentials?
Identity security is a work in progress
As part of the study we asked participants to indicate their progress toward the implementation of identity-defined security outcomes selected from the latest iteration of the Identity Defined Security Framework that was also published today. Less than half of security and IAM professionals have fully implemented any of eight key security outcomes, as shown in the graphic below.
The two least implemented security outcomes could be characterized as risk-based authentication mechanisms, granting a user access to resources only if certain device or behavioral data indicated that the user is actually who they say they are. These two outcomes, along with implementation of multi-factor authentication (MFA) — not just for privileged users — could prevent the use of credentials stolen through phishing mechanisms.
Forward-thinking companies are showing results
The good news is that the companies who would describe their security culture as “forward thinking” are seeing results. These forward-thinking companies have a number of things in common and only 34% of them have had a breach in the last two years (vs 59% of those who describe their security culture as “reactive”). In addition, forward-thinking companies –
- Experienced similar phishing related breaches, but fewer stolen credentials (34% vs 42%), compromised privileged credentials (27% vs 32%), inadequately managed privileges (35% vs 40%), socially engineered passwords (32% vs 41%)
- Were more likely to proactively align identity and security teams (72% vs 67%) and improve skills (65% vs 57%)
- Were more likely to leverage security frameworks, such as NIST, HIPAA, PCI-DSS and ISO27000 Series.
- Were more likely to have fully implemented the 8 security outcomes, as shown in the graphic below:
The identity-related security outcomes in the survey are from the latest iteration of the Identity Defined Security Framework, which is designed to help organizations make sense of the complex identity and security technology landscape. It is a combination of Identity Defined Security Outcomes, which as highlighted in the research can reduce the risk of an identity-related breach, and Identity Defined Security Approaches, which are well-defined patterns that combine identity and security capabilities, providing flexibility in how outcomes can be achieved. Learn more about the framework and the latest iteration in Adapting the IDSA Framework to Keep Pace with Evolution of Identity and Security Industry.
There is no doubt that with explosive growth in identities in the last five years and what is still to come, organizations are shifting strategies to protect their most vulnerable attack vector with some success. But there is more work to be done.