Passwords are still to blame for most data breaches

Compromised credentials are the number one source of data breaches, new report suggests.

The report, entitled Identity Solutions: Security Beyond the Perimeter, released by Cloud Security Alliance (CSA), says that almost a quarter (22 per cent) of all data breaches start with a compromised password.

Almost two thirds (65 per cent) of respondents have said that the chances of them getting breached due to compromised passwords are medium to high.

What was surprising about the report is the fact that there is almost no difference in security solutions between companies that reported being breached, and those that either didn't report, or weren't breached yet. Or, they didn't even know they had been breached.

Companies with big data solutions had more perimeter and identity security, solutions, while 76 per cent of internal access control policies extended to outsourced IT, vendors and other third parties.

“The survey results are insightful into understanding insufficient identity, credential and access management, as it relates to the evolving, increasingly cloud-based enterprise,” said Luciano “J.R.” Santos, Executive Vice President of Research for the CSA. “We hope that organizations and cloud providers can use this information to help gain an understanding of how to protect themselves and their data beyond the perimeter, as they begin to adopt cloud environments.”

“The survey findings reiterate that compromised credentials are a leading point of attack used in data breaches,” said Bill Mann, Chief Product Officer for Centrify. “We hope that these findings will encourage organizations to leverage single sign-on, multi-factor authentication, mobile and Mac management, along with privileged access security and session monitoring, in order to minimize attack surfaces, thwart in-progress attacks and achieve continuous compliance.

"It’s also critical that companies secure internal and external users as well as privileged accounts – and it’s great to see that many organizations are already taking that step and extending access control policies to third parties.”

Photo credit: Ai825 / Shutterstock