Identity Security a Top Priority as Threats Evolve
The need to secure digital identities is one of the biggest privacy and data issues facing organizations today, and with less than half of organizations (49%) proactively investing in securing identities, there is still a long way to go. These were among the results of a survey by the Identity Defined Security Alliance (IDSA), which found a 90% of organizations reported an identity-related breach in the last 12 months—a 6% increase from last year’s report.
The report also found 93% of businesses suffered an email phishing attack in the past year and the majority (57%) reported employees unknowingly clicked on a phishing email.
In addition, 17% reported managing and securing digital identities as the number one security priority (up from 16% in 2022), while 44% reported it as a top three priority and 25% as a top five priority.
Identity-related attacks are still among the most common security threats facing organizations, and the report indicated this will only continue to expand as cloud adoption, remote work, mobile device usage and third-party relationships drive up the number of identities.
Jeff Reich, executive director of IDSA, explained that, while more organizations are prioritizing identity security than in previous years, there is a disconnect between recognizing the risk exists and proactively managing the risk.
“For instance, 49% reported that their leadership teams understand identity and security risks and proactively invest in protection before suffering an incident while 29% only engage and support after an incident,” he pointed out.
He added that it’s important for IT security teams to determine where their vulnerabilities and threats are–and how threat actors can exploit them–and then spend money accordingly.
“In general, when managing risk, life should be simple. Never spend more avoiding, mitigating or transferring risk than you might lose by accepting the risk,” he said. “This is a critical component of risk appetite. When you cannot quantify your risk appetite, you are flying blind. Inevitably, you will spend more than needed and risk losing more than you can afford.”
Reich said his best advice, especially when it comes to technological investments, is to not spend anything until you determine what the organization needs.
“Although it may seem like security teams always try to do that, it’s very easy to be attracted to shiny new features and functionality,” he said. “There are a lot of great tools and services available in the market and more new ones by the day.”
From his perspective, organizations should consider avoiding the budget question of, “Do I need this?” after seeing the tools and, instead, ask, “What features do I need?” before looking at any tools or services.
“Those requirements should drive your tool acquisition behavior,” he said. “Don’t be another enabler of shelfware.”
The rise in identity security risks comes as the lines of demarcation between identities at work and home are increasingly blurred.
With employee behavior frequently the cause of an identity-related incident (clicking on a phishing email is most common at 57%, followed by using the same passwords for work and personal accounts at 37%), the difficulties of trying to manage identity security in today’s distributed workforce are already being made clear.
“If the past three years have taught us anything, it’s that people will adapt to the situation presented to them,” Reich said. “That often means bypassing traditional controls—and all it takes is one mistake to let the threat actors thrive.”
He said he expects to see some threat actors use artificial intelligence to drive their attacks, noting that predictive analysis and artificial intelligence can enable threat actors to rapidly adapt to our defenses and reach more victims through customized, regional and more focused attacks.
Combining that with more sophisticated ransomware and phishing attacks, the threat landscape will only become more complex and challenging.
“Identity security threats are now part of our lives,” Reich said. “I cannot name anyone that I know that has not been affected by at least one identity-related incident.”
He pointed out it’s impossible to ignore the social engineering aspect that remains the most common vector used by threat actors to cause breaches.
“This means that each of us needs to be aware of the risks whenever we are faced with a question or challenge that requests or requires personal information,” Reich said.
