93% of Security Professionals Say Their Identity Breaches Could Have Been Prevented
A look at key findings of a recent IDSA report to see how remote work has affected identity security.
Identity breaches had direct impact on the business: malicious attacks on applications/systems, unavailability of IT systems, stolen employee/company data... and even ransomware
The significant shift to remote work in 2020 accelerated digital transformation across organizations. With communication, collaboration and transaction all suddenly digitized, the number of digital identities increased significantly, posing new risks regarding organizations’ costs, security and productivity.
Now, more than a year into the pandemic, the Identity Defined Security Alliance has published the report “2021 Trends in Security Digital Identities: A Survey of IT Security and Identity Professionals,” which examines the impact of these changes among security and identity professionals. Let’s look at the key findings and see how remote work has affected identity security and the CISO role.
The IDSA report is based on an online survey conducted by Dimensional Research. The findings reported come from more than 500 security and identity professionals who work at 1,000+ employee companies in the United States, across a variety of industries.
How Remote Work is Impacting Digital Identities
In 2020, digital communication and collaboration became the primary form of correspondence for many people. As a result, employees and consumers were using more digital devices than ever before to connect to organizational applications, and from more dispersed locations. To support this change, companies were moving their infrastructure and apps to the cloud.
According to 83% of security and identity professionals surveyed, this resulted in an increase in the number of identities, both human and machine. For 20% of respondents, the increase was dramatic, with a growth of more than 25% more identities -- and sometimes even more than double!
An Incredibly Large Number of Cyber Attacks
A growing number of identities comes with its own set of challenges. It is extremely difficult for IT and security teams to track and manage permissions for such a large number. This is due to the complexity of granular entitlements as well as lack of visibility into configurations, privileges and activities. Cyber attackers are taking advantage of these challenges and carrying out more identity-related attacks, and with growing sophistication.
It’s no surprise then, that in the past two years, more than two thirds of the companies surveyed suffered from phishing attacks, 20% were attacked due to compromised privilege identities and approximately 29% were breached because of inadequately managed privileges.
These identity security breaches also had a direct business impact. Alarming issues that occurred as a result included malicious attacks on applications and systems (40%), unavailability of IT systems for a certain amount of time (32%), stolen employee data (31%), loss of confidence in data quality (26%), ransomware (22%) and stolen company data (22%).
Overall, the majority (78%) of organizations say they have been affected by identity-related security breaches occurring in the past two years. This means that most companies are at risk of cyber attacks -- and stand to suffer the potential financial, legal and business implications.
It’s also important to note that of the remaining 22% organizations, 13%(!) did not know if the breaches they suffered had a business impact on the organization. This uncertainty could be due to lack of visibility and IT, and to security teams having inadequate tools and methods for monitoring such consequences.
Conceivably, 91% of organizations were affected by identity-related breaches.
A Shifting of Mindset to Identity Security
After the shift to remote work and possibly after seeing its consequences, 80% of organizations in the survey increased their focus on identity security. This high number probably portrays a growing understanding among organizations of the impact of digital identity security on their business KPIs.
One example of this change was an effort made to improve alignment between identity and security, including expanding the responsibilities of the two teams to create overlap. Another is growing understanding among 90% of organizations that identity and access management is mostly about security.
This shift was also depicted in the growing influence and authority that CISOs and security teams have in organizations. In 87% of the companies surveyed, the CISO has an ownership role with identity and access management, and in 45% of them the CISO is in charge of both strategy and implementation of identity and access management initiatives. This is a huge jump compared to the results from 2019, when only 53% of the companies reported security having a leadership role in the organization!
In managing IAM strategically and actively, CISOs can drive initiatives to reduce the attack surface and protect sensitive data through the remediation of excessive entitlements and by preventing insider threats. Another benefit of the expanded ownership role, according to the survey, is that in these organizations, security teams also tend to have a better understanding of their identity strategies.
Outcome-focused Identity Security Methods
With the growing organizational emphasis on identity management and security, the question is: hich security outcomes are these organizations implementing?
Nearly half of the companies (48%) have implemented methods for focusing on least privilege and revoking access, i.e access risk mitigation. Forty-seven % have implemented MFA. Approximately a third are in the process of implementation of each of these methods.
These three methods are very effective for detection, management and remediation of risky cloud identities and their entitlements. They enable managing access permissions to reduce the attack surface while providing visibility and governance.
Therefore, with over 70% of companies implementing such solutions in the past few years, we expect to see an increase in the number of thwarted attacks and a decrease in the overall business impact of such attacks.
Future Plans for Identity-related Risk Reduction
In the next two years, 97% of those surveyed plan to continue making investments in identity-related security methods. The main investment areas include:
- MFA for privileged access
- Granting privileged access rights according to the Principle of Least Privilege
- Continuously discovering privileged access rights
These future investments are incredibly important for organizations looking to protect their data, employees and customers -- as almost all interviewees believe that breaches could have been minimized or prevented with better implementation of security outcomes.
Specifically, these professionals say that amping up their review of privileged access, including to sensitive data (45%), and expanding implementation of MFA could significantly reduce the impact of identity related attacks.