Today is Identity Management Day, a time to educate consumers and business leaders alike on the dangers of not properly securing identities and access credentials.
Identity management is the discipline of protecting our personal digital identities as we communicate, shop, work and transact our daily lives online. Careless behaviour, such as failing to secure passwords, can leave individuals or organisations vulnerable to identity theft and data breaches. Indeed, with 79% of organisations having experienced an identity-related security breach in the last two years, it has never been more important to focus on our identity management.
Data on the rise
As the volume of data worldwide is predicted to reach a staggering 181 zettabytes by 2025, organisations must think smarter about how to protect this data. Whether shopping online, setting up a social media account or simply reading a news article, we are regularly being asked for our identifiable information. Michael Queenan, CEO and Co-Founder of Nephos Technologies, highlighted that, “With 10% of UK homes now owning smart devices – e.g. an Alexa or a Ring doorbell – our data is constantly being collected, even within our own homes.
“What is especially concerning is who has access to this data – currently the institutions that collect it decide how it is used and sold. More worrying, should it fall into the wrong hands, it could be used for identity theft or fraud. Our personal data is anything but personal.”
This makes securing identities more important than ever. According to James Brodhurst, Principal Consultant at Resistant AI, “There are real risks imposed on our interactions with each other, with service providers, or any other engagement in the digital world.
“Consumers must be aware of those risks when applying their identity or personal data for use in the digital world. It has never been easier for cybercriminals to steal data and use it in seemingly unlimited ways, to commit fraud and other cybercrimes. That’s due, in part, to an overwhelming percentage of people not taking the necessary steps to safeguard their identity.”
Steve Young, UKI Sales Engineering Director at Commvault, added that, “Identity management helps businesses be compliant with the latest data regulations, as it ensures that any customer data collected and stored is kept secure.”
Watch out for cyber criminals
With identity theft one of the most common forms of cyber-attack today, strong identity management is critical to maintaining cyber integrity in 2022.
“Colonial Pipeline, SolarWinds, Twitch – all of these organisations have one thing in common: they suffered data breaches as a result of stolen credentials,” noted Tyler Farrar, CISO at Exabeam.
“Credential theft has become one of the most common and effective methods cyber threat actors use to infiltrate organisations of all sizes and access sensitive data. We strongly support efforts, like Identity Management Day, that raise public awareness and can help to combat this pervasive issue. We advocate for the best practices that ensure cyber hygiene and protect personal and professional identities and credentials to prevent credential-based attacks from continuing.”
“So why is identity theft so common?” asked Andy Swift, Technical Director of Offensive Security at Six Degrees.
“Well, the simple answer is that stealing account credentials is big business. There is a massive industry out there of people stealing and selling credentials on the dark web. Once these attackers have stolen a victim’s credentials, they want to leave without a trace in order to avoid arousing suspicion.
“I don’t suggest you venture to the marketplaces through which stolen credentials are sold on the dark web, but if you did, you’d find lists of credentials with different attributes – whether they’ve been tested, whether they have access to financial data – that dictate price. They even run Black Friday sales. I’m not kidding.”
Tools and tricks to secure data
Ultimately, effective identity management is only achieved through a broad range of technologies and data. This is an important first step for organisations to know who they are interacting with, and subsequently distinguish between genuine or illicit actions.
Liad Bokovsky, Senior Director of Solutions Engineering at Axway, urged that companies need to do a better job at protecting their customers’ data: “Thriving and surviving in today’s hyper-connected economy increasingly depends on having sufficient API maturity in place to ensure that anything connecting to an organisation’s servers – devices, apps, customers – is managed appropriately to keep APIs, customer data and the company’s reputation safe. This means having technology and processes in place to make sure that API design, implementation, and management are done properly.”
Commvault’s Young suggested: “For IT leaders looking to implement identity management but unsure where to start, simple measures, such as two-factor or multi-factor authentication (MFA), are a good first step, before venturing further onto using tools such as privileged access management and privileged identity management.”
“MFA provides great defence against identity theft, but it’s also a reactive technology: for it to be effective, an attacker must already have obtained stolen credentials,” Swift agreed. “That’s why comprehensive cyber security training and education on best practices is quite possibly more important than any technology could ever be alone. There’s no silver bullet when it comes to achieving strong identity management, but the importance of threat awareness and training cannot be overstated.”
Organisations must build a security stack that is consistently monitoring for potential compromise. Exabeam’s Farrar explained: “Organisations across industries can invest in data-driven behavioural analytics solutions to help detect malicious activity. These analytics tools can immediately flag when a legitimate user account is exhibiting anomalous behaviour indicative of credential theft, providing greater insights to SOC analysts about both the compromised and the malicious user, which results in a faster response time.”
Identity management is everyone’s responsibility
Queenan argued that individuals need to be responsible for their own data and how it is used: “A possible way of achieving this is through identity-centric blockchain, whereby everyone has a national email address associated with their blockchain identity that permits access to their personal data. This would ensure that only you get to decide who has access – your data, your choice.”
“A secure communication solution allows you to maintain control over confidential communications, distribute documents and files for faster and easier collaboration, and ensure a rapid response during crises,” MarKeith Allen, Senior Vice President and GM, Mission-Driven Organisations at Diligent added. “But not all solutions are created equal.”
He concluded that, “Organisations should ask the following key questions when evaluating options in the marketplace:
Is communication encrypted? Because sensitive data in transit is increasingly more vulnerable to phishing attacks, password hacks, and other potential breaches, encryption is the most effective way to achieve data security.
Are platforms integrated? It’s important that a solution provides a central workstream for company leaders and pulls all sensitive updates, conversations, and documents out of insecure channels like email.”
Does it minimise weak links? It only takes one incident to cause irreparable harm and financial damage. Make sure your communication solution gives administrators the ability to, for example, remotely ‘wipe’ lost or potentially compromised devices.
Does it meet the standards of your security team? Actively engaging your IT team in the selection process benefits everyone in terms of protecting sensitive data — and safeguards your organisation against unnecessary liability. CIOs and CISOs will have specific questions and ‘must haves’ in any communication solution their organisation takes on, so make sure they are involved from the start.“
