Using identity governance to mitigate future data breaches

(Image credit: Image source: Shutterstock/Ai825)

Whether it’s inputting our email address and password to view content behind a paywall or using our social media accounts as login portals to order take-aways, today’s world very much operates on a value exchange. But, with consumers frequently opting to share data in return for access to online content and services, the pressure is on for businesses to ensure that this information remains secure. 

While there is a growing recognition about data security, we’re are seeing breaches increasingly hitting the headlines – with companies such as Quora, the latest company in the spotlight for leaking consumer information. It therefore comes as no surprise that 57 per cent of British consumers are concerned about how much personal data they have previously shared online. And the problem doesn’t stop there. Recent hacks such as the Quora data breach have revealed that many consumers have lost track and are unsure of where they’ve previously shared their personal details, or even what user accounts they have. And this uncertainty around data sharing and user accounts isn’t exclusive to consumers, it is common with enterprise users as well.

Organisations today aren’t just dealing with securing customer information, they’re also tasked with protecting employees and their access to important business applications and data. That might not sound very complicated, until you throw seasonal staff, temporary and contract workers plus internal moves across full and part-time staff into the mix. While seasonal workers, for example, are needed to deal with heightened business demands, this resource can come with a hidden danger which is often left undetected – that of orphaned accounts (dormant accounts of former employees). Just one of these accounts (orphaned or otherwise) cracked by a hacker gives them instant access to the organisation, and its sensitive data.

Stay alert to stolen user credentials

It seems obvious, but it is vital that companies can answer the question of who has access to what across their business applications and data. And equally as important, whether each user should or should not have that access. In many cases, permanent employees may still have their former access privileges long after they have left the company, while internal moves (either through promotion, or horizontally within the organisation) can leave workers with inappropriate or unnecessary access to data and systems.

The issues I’ve just described largely stem from a lack of proper visibility into all of an organisations’ users and their access to important business applications and data. This is where identity governance plays a critical role in helping companies see, understand and govern all access across their user population. Stolen employee credentials have become a significant threat to many businesses as hackers have turned their focus here as a lucrative inroad to gaining access to sensitive organisational information.

And it’s not just employees that organisations have to contend with. Today’s business operations rely on other users within the enterprise beyond employees, including contractors, business partners and even software bots – and these users can sometimes operate far outside of the traditional corporate firewall. Keeping up with these users and their access is incredibly complex for IT teams and becomes even more so when you think about the number of organisational changes that happen on a daily basis. It is the failure to effectively manage these changes which leaves the door open for hackers.

It is, therefore, imperative that organisations consider the full inventory of digital identities that make up the enterprise as the new ‘security perimeter’. Governing this perimeter should be a number one priority for businesses today.

Using identity governance to secure the perimeter

At the end of the day, the risk of unauthorised access cannot be completely eradicated, which is where identity governance comes in. It gives organisations the visibility needed to properly compare who currently has access to what with who should have access to what. This then gives IT teams the information they need to identify application and data access and usage behaviours that are outside of what is normal or necessary for the users’ role at the company and then apply the proper governance controls. Identity governance helps IT teams manage and govern access for all of their organisation’s digital identities, including helping them to identify orphaned accounts or users with access they no longer need to do their jobs. Governing access throughout a user’s life cycle with the organisation and, importantly, revoking that access after it’s no longer needed, helps to eliminate the risk of stolen, seemingly legitimate user credentials.

It might be tempting to overlook the risks and postpone the implementation of vital protective technologies such as identity governance, but the financial and reputational costs of data breaches should be incentive enough for organisations to adopt a proactive mindset when it comes to governing identities and their access to sensitive applications and data. In fact, our research shows that the average cost of dealing with a breach is almost £700,000 per company, per breach. No company can afford that hit to the bottom line.

Besides the financial ramifications, a data breach can either make or break a brand when it comes to customer loyalty and future sales. While the stigma associated with a data breach isn’t what it was four or five years ago, the company’s reaction to the breach can still make a strong impact on how both current and potential customers view the brand. Take Yahoo! for instance – the online platform took a lot of heat after its series of breaches, mostly in terms of how lax it was in its approach to cybersecurity.

There are many steps to take to mitigate and shut down a breach once it’s happened, and every organisation should have a response plan in place. While no company today is safe from an attack, all organisations can be proactive in how they plan for the inevitable. By implementing an identity governance platform that can adapt to today’s ever evolving IT landscape and can keep pace with today’s rapidly developing threats, organisations can protect not only their sensitive data, but also their brand reputation – which, in the long run, will make or break an organisation.

Paul Trulove, Chief Product Officer, SailPoint
Image source: Shutterstock/Ai825