Identity-Related Breaches On the Rise

A large majority of organizations experienced an identity-related breach over the past year—and their businesses have suffered as a result.

More than four out of five (84%) of the 500 identity and security pros in the U.S. surveyed by the Identity Defined Security Alliance (IDSA) admitted to having such a breach—that’s in comparison to the 79% that reported similar breaches in IDSA’s 2021 report. But the more sobering number is that 78% of those said the breach had a direct impact on their business.

Among the common effects: Executives cited malicious attacks on applications or systems (32%) as well as unavailability or degradation of IT systems for a time period (28%). Just over one in five (21%) said that their products, services and solutions were compromised while 17% noted that their organizations had fallen victim to a ransomware attack.

As a result, direct impacts on businesses included costs to recover from breaches (44%), significant distractions from core business functions (42%) and negative impact on reputation (35%), according to the report.

The identity landscape has grown more crowded and complex. Not surprisingly, nearly all of the respondents (98%), who are in charge of IT security or identity and access management (IAM) in organizations with more than 1,000 employees, found themselves grappling with the sheer number of identities that have multiplied thanks primarily to cloud adoption, third-party relationships and machine identities. As a result, nearly two-thirds have placed a premium on identities, making it a top three priority in their security programs.

Some good news for defenders: Risky behavior among employees, which can exacerbate identity issues, is reduced when executives step in and make identity security a focus. Many respondents (71%) said executives in their organizations speak publicly to employees about password security. Unfortunately, 60% of IT and security stakeholders admitted that they had engaged in risky security behavior.

Despite growing concern over identity and a stated commitment to prioritizing it in security strategies across the country, the study found that investments in security outcomes haven’t kept pace with the desire to flip the equation. In fact, most organizations aren’t yet adequately focusing on the basics of security with regard to identity. Only 35% said they removed employee access on the day an employee left the firm and a paltry 16% did so the day after, up slightly from the previous year’s survey results.

But that will change. Nearly all organizations, a whopping 97%, are set to invest in identity-focused security outcomes, a number that mirrors investment based on last year’s results. By and large, executives have set their sights on MFA, particularly when it comes to privileged users and employees.

That’s because nearly all (96%) believed that the impact of past identity-related breaches could been reduced if they employed identity-focused outcomes such as MFA (43%), more timely reviews of privileged access (41%) and continuous discovery of all user access rights (41%).

Preventing identity-related incidents depends in large part on people. “It’s unsurprising that phishing, once again, rises to the top of identity-related attacks, with 64% of respondents noting that protection measures are a top priority and fully 59% sharing that they’ve experienced a significant phishing attack in the last year,” said Oz Alashe, CEO of CybSafe.

Training is long overdue a facelift, Alashe said. “It’s time to move past reliance on first-gen ‘gotcha’ phishing training, which educates valuable employees by ‘naming and shaming’ them on lapses and missteps,” he said. “The fact is that people aren’t the organization’s weakest link—they are and must be treated as among its greatest assets. Other classes of cybersecurity tools have advanced to the point where they provide real-time interventional assistance and intelligence that actually boosts both effectiveness and morale. It’s time for employee awareness training to similarly advance.”

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson