As the security landscape continues to evolve, new points of vulnerability are becoming a cause for concern. Anurag Kahol, Founder and CTO at Bitglass
, discusses the areas organisations should be paying close attention to when it comes to protecting their data and operations.
We live in a connected world where every user and entity has a unique digital identity based upon their online presence, ranging from social media activity to healthcare and financial records, login credentials, web history and much much more.
Digital identities, like more traditional physical forms of identification, have to be strenuously protected to prevent identity theft or fraud. This has become increasingly challenging with the massive amount of data accessed on the web. The acceleration in Digital Transformation efforts by organisations during COVID-19 has also opened up new points of vulnerability to hackers and cybercriminals.
Faced with the increased threat of identity theft and fraud, it is imperative that organisations take a more proactive approach to their security and put Identity and Access Management (IAM) practices in place to deal with sensitive data. There are a number of areas where organisations could be at risk and it is incumbent on them to do all they can to reduce the threat to their data and their operations.
Passwords need to be protected
If an organisation is trying to control access to a building, it frequently employs a security desk with a pass system that gives an employee or visitor permission to enter the premises. It is quite difficult for someone to gain unauthorised access by assuming the identity of an employee or visitor.
Sadly, this is all too common in the digital sphere. Many high-profile breaches occur as a result of cybercriminals hacking into employee accounts to gain access to the organisation’s data. In more than 80% of incidents they achieve this by exploiting misplaced or stolen credentials, using compromised passwords to break into the company’s data.
One way to mitigate the risk of passwords being misused is to initiate frequent password resets. The problem with this approach is that employees are very likely to use their new password for other accounts as well. Reusing passwords is attractive for people because it can be a struggle to remember a number of complex passwords for different sites. But this dramatically expands the opportunity for cybercriminals to gain access to those passwords across a much wider range of potentially compromised websites.
So, what can be done? One of the most effective ways to keep the login process for users as seamless as possible while strengthening protection against the threat of account compromise is to enable Multi-Factor Authentication (MFA) and Single Sign-On (SSO).
MFA adds an extra layer of security for the organisation. For example, an SMS token could be sent via text message or through a third-party app like Google Authenticator. The second form of authentication is required for users to be verified and granted access to the account. Without it, they remain locked out of the account. With the addition of SSO, users can also log into a single portal to gain access to a variety of independent cloud resources.
Comply with data privacy regulations
Data security and brand reputation are becoming increasingly interconnected for businesses that collect and store large amounts of customer information. There is a pressing requirement for companies to protect their customers’ data, especially as they need to comply with a widening range of regulations. There are few excuses for any organisation that fails to comply with the European Union’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) which have been in place for some time now. Depending on where they operate, businesses also need to keep up to date with new additions to privacy legislation in individual states in the US, such as the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Privacy Act (VCDPA).
Data privacy is likely to become even more of an issue for organisations operating in the US if discussions about a national privacy law to hold all states equally accountable for the misuse of consumer data lead to legislation. It is important for companies to ensure they are aware of any developments in the data privacy sphere. Ignorance is not a defence and failure to comply with data privacy regulations will lead to steep fines and, quite possibly, force the company to close down.
Protect digital identities using IAM best practices
The security landscape is constantly evolving and creating new points of vulnerability. To combat the widening range of threats, consumers and businesses need to work together to ensure corporate and personal data remains secure. As we have already noted, passwords can always pose a risk, no matter their size or complexity.
One way organisations can better spot if someone is trying to impersonate an employee online is by monitoring their network activity and behaviour in an effort to detect any abnormalities. Take the simple scenario of an employee who logs in via their home IP address every day during the working week. If that employee was suddenly to log in from a different location at a different time on a weekend night, this would definitely be cause for suspicion. With context-based, step-up authentication, organisations can confirm a user’s identity depending on his or her location, device and day-to-day activities.
In many instances, the weakest link in an organisation’s security strategy is its workforce. A business can have all of the right solutions in place but its security strategy will not function effectively if it hasn’t trained and educated its people to use it properly. Cybersecurity training is important for all employees and companies need to enforce programmes to ensure they are informed about existing and emerging threats. These programmes will also help them to manage their data better and protect their digital identities more effectively – as well as those of their customers.
By implementing these IAM practices, organisations can counter unauthorised access proactively and protect sensitive data stored across their modern IT ecosystems. But company policies are not enough on their own. People need to take responsibility for keeping up to date with the latest identity management trends and cyber-risks. The Internet has become a critical part of our daily lives in our connected world. Identity management awareness can help keep us connected in a safer way.