It's clear that the cyberthreat landscape is infinitely more complex and dangerous than ever before. The world experienced record data breaches in 2015 – vast in volume, size, and reach. While the media offered analysis, consumers and companies were left scrambling to check their inboxes and websites to see if their information had been stolen. In 2016, we surveyed enterprise employees to determine how their security practices were impacting organisations. Here are our findings.
What are the most significant, growing cyberthreats to companies today?
The new reality is that breaches are inevitable. The extent of a breach can spread quickly, wreaking havoc on the targeted business, while often causing harm to employees, customers, partners and investors. The bad guys have come to learn that the weakest link in a company’s defense is often an individual – or their identity credentials. You would think that as breaches impact more people individually, they would become more vigilant about security processes. However, it seems that some employees are being incredibly ineffective in their security practices, leaving themselves and their employers at risk of exposure.
How do employees view their individual role in IT security processes?
Our Market Pulse Survey was designed to measure employees’ view of their own role in IT security. The survey data this year hits on two very important, and very disconcerting points. First – employees are fully aware of how sensitive their personal data is and they want it to be protected. 85 per cent of respondents noted that they would react negatively if their personal information data was breached.
However, while employees expect companies to protect their personal data, those same users aren’t following sound security practices to ensure their employer’s data is safe. In fact, the basic rule of having a unique password for each application was not being followed by the majority of respondents. These two findings illustrate a worrying disconnect: employees expect their personal information to be protected, but don’t understand how their poor password hygiene potentially exposes their employers to similar breaches.
Where are organisations currently falling short in managing employees’ security credentials?
Organisations are struggling to keep up with the rate and pace of application and technology adoption. This is particularly true in the era of SaaS application adoption – whereby employees are able to sign up for SaaS applications – oftentimes without IT or security department involvement.
More employees, one in every three, are purchasing and using the likes of cloud applications outside of IT’s view. Proper password policies and automated on- and off-boarding procedures can help to mitigate some of the security risks that result from the proliferation of security credentials both on premises and in the cloud. Unfortunately, the survey found that this isn’t happening in many organisations. Of those with access to corporate accounts and information, more than two in five people could access those same accounts and data after they had left their previous employer.
How can companies protect their employee and customer data?
It is clear that the notion of network-centric security is a strategy of the past. A paradigm shift has occurred over the past few years where a user-centric approach of security emerged as the most robust strategy to secure an organisation’s assets in our distributed IT world. This latest research highlights the need for a combination of people, processes and technology to protect data effectively. If only one of the three are in place, the equation falls short and organisations will find themselves exposed to undue risk of security threat. If the most recent data breaches have shown us anything, it’s that no company is safe from attacks, and the method by which information is compromised is constantly changing.
What role does identity have to play?
Companies today have multiple users entering their systems and accessing their data: employees, contractors, vendors, suppliers, partners, and even customers. Considering the sheer volume of users, applications and various levels of data access, it is easy to imagine an enterprise managing over a billion points of access. But these points of access can easily become points of exposure. Behind all those points of access is an identity. In this age of mobile device usage and cloud application adoption, often times the only thing that links a device to a point of access is an identity.
Therefore, identity has become central to organisations moving forward. Putting identity and access management (IAM) at the core of security and IT infrastructures is essential for organisations to gain visibility into and ensure protection from threats coming from both outside and inside the network.
In 2016 more than ever, securing identity exposure points should be at the core of every enterprise’s security program.
Kevin Cunningham, president & founder at SailPoint