Employee data offers proverbial ‘keys to the kingdom’ to cybercriminals

null

In today’s current climate, why is protecting and controlling identity so critical? 

Today, organisations house vastly more amounts of sensitive data than ever before and their users have relatively easy access to that data. Securing this data is made more difficult by how we work today – while organisations used to rely heavily on perimeter security, today, it’s quite common for a business manager to access highly sensitive data stored in the cloud from a personal mobile device, all outside the purview of IT.  

At the same time, today’s workforce has become an increasingly bigger target for cyber attackers who see stolen user credentials as the proverbial ‘keys to the kingdom.’ In fact, the vast majority of data breaches, whether conducted by a cyber attacker from inside or outside of the organisation, involve the misappropriation of digital identities and user credentials. In addition to targeting networks and endpoints, cyber attackers are exploiting identities to gain legitimate access to sensitive systems and high-value personal and corporate data.  

According to the Verizon 2017 Data Breach Investigations Report, 81% of hacking-related breaches involve the misuse of identity credentials, leveraging stolen and/or weak passwords. Insider threats can pose a similarly high risk to organisations by leveraging valid user credentials to steal sensitive data while often remaining undetected. This is why protecting the identity of today’s digital workforce is imperative. 

With an increasing number of prominent data breaches, what technical investments do organisations need to make to protect identity?

Comprehensive identity management is an investment that helps businesses regain control. With identity governance in place, businesses gain complete visibility across today’s increasingly complex, often hybrid, IT environment. Identity governance helps to link people, applications, data and devices to show who can access what, what they’re doing with that access, what kind of risk that represents, and allows organisations to take action to mitigate that risk. Identity governance empowers organisations to automate costly IT processes while ensuring compliance to an alphabet soup of regulations and improve their overall security posture.  

Today’s cybersecurity regulatory climate has also increased, bringing with it heavy fines. Regulations are paying closer attention to visibility and control around sensitive data, so properly managing who has access to that data and what they’re doing with it is key. Once again, identity governance plays a crucial role here. A comprehensive identity governance solution includes: compliance controls, automated provisioning, password management, and importantly as it relates to GDPR compliance, governance for data stored in files and folders. These solutions are critical in identifying critical corporate data, securing that data and demonstrating proof of GDPR compliance across an entire organisation. 

With these new investments, where does this leave legacy architectures and how can organisations still get the most out of their existing technology?

One major concern within this landscape is the burden of completely renovating existing systems to meet modern technological needs. Many organisations fear that a complete overhaul of their identity program is necessary. However, this isn’t – and doesn’t have to be – the case if they take a governance-based approach to identity.    

Specifically, this means making sure that the organisation has full visibility and accountability for people and their access, no matter where the user is located or what device they are using to access the data. It’s the first line of defense in protecting critical corporate data. The second key to migrating securely is the ability to govern everything. Organisations need to understand who has access, if they should have access and what they are doing with that access. With BYOD and the global workforce, enterprises are tasked with managing increasingly complex environments where employees can use their personal devices to access corporate accounts in the cloud – and IT organisations need visibility into and control over that. One of the many benefits of identity governance, in addition to security, is that it also empowers the user, enabling them to access data whenever, wherever, securely and without boundaries. It’s not just good for security, but good for business. 

How can global organisations ensure identity is protected across all their offices 24/7, 365?   

What’s required today is a robust identity governance program – it’s the only way to truly get a view into who currently has access to which resources, who should have access to those resources, and how that access is being used. Identity governance is a critical, foundational layer of any modern cyber security strategy that complements and builds upon traditional perimeter- and endpoint-centric security solutions, which on their own are increasingly insufficient to secure organisations, and their applications and data. With identity governance as the foundation, businesses now have one system of record for all of the digital identities they manage across their entire IT environments. This visibility is critical and investing in identity governance allows global organisations to ensure identity is protected across all four corners of the globe at all times. 

From your experience, what sectors are getting it right when it comes to protecting identity and which need to catch up? 

The cyber threat landscape is infinitely more complex and dangerous than ever before, and every industry needs to take proactive measures to improve security. Organisations across the board are struggling to keep up with the rate and pace of application and technology adoption.    

The most advanced industries with regards to existing identity governance programs are those that are highly regulated and have been historically, like finance and insurance, because they have been adhering to complex regulations the longest. But as data breaches and stricter regulations continue to be top-of-mind, every industry is paying attention.    

The good news is there are industry best practices, and companies just starting with identity governance don’t have to make it up as they go. Identity governance can provide them with the visibility they need into who is doing what within their organisation and what kind of risk that represents, while also addressing many compliance needs.    

The truth is, all industries are playing catch up when it comes to protecting data, because the landscape is constantly evolving. Only those businesses that take a proactive stance will ensure their security and stay afloat. 

Mark McClain, CEO and Co-founder at SailPoint 

Image Credit: Wright Studio / Shutterstock