• Home
  • /
  • Computing
  • /
  • It’s vital to protect employee passwords and credentials

It’s vital to protect employee passwords and credentials

In the modern threat landscape, too many regular employees have access to sensitive data – making them targets for an increasing number of cyber attackers.

Johannesburg, 13 Dec 2023
David Higgins, Senior Director, Field Technology Office, CyberArk.
David Higgins, Senior Director, Field Technology Office, CyberArk.

The sheer amount of access to sensitive resources that the average employee now has, means it comes as no surprise to learn that cyber criminals assign the same kind of value to employees’ passwords that was once only reserved for privileged users’ credentials.

In fact, a recent CyberArk survey of 1 750 security decision-makers from 10 industries indicates that 52% of employees have access to sensitive corporate data. In some sectors, that percentage is even higher.

According to David Higgins, Senior Director, Field Technology Office at CyberArk, high-profile cyber attacks – using stolen or leaked employee logins to breach and hijack entire IT systems – are on the rise. This is particularly concerning in light of the fact that globally, 54% of workers still use unsecured practices to keep track of their credentials.

“CyberArk’s own 2023 Identity Security Threat Landscape Report, which examines the evolving cyber threat landscape, revealed that sub-standard password security controls continue to provide an easy access point for attackers,” Higgins says.

“Some 85% of global security professionals have voiced their increasing concern around security incidents involving standalone password managers. A significant percentage (63%) also admit that current processes and technologies aren’t adequately securing the most highly sensitive access for employees.”

He notes that humans have always been a security wildcard, and this capacity has only increased with the advent of flexible work, increased churn and recession-driven outsourcing.

“There can be no doubt that the majority of security professionals suggest that they are concerned about confidential information loss stemming from employees, ex-employees and third-party vendors. In fact, many point to third parties – partners, consultants and service providers – as among the riskiest human identities that security teams have to deal with.

“Of course, credential theft has always been an attractive target for adversaries, but rapid digitisation has now created a virtually endless supply of identities to target. Phishing, social engineering and similar tactics are used to steal credentials to compromise identities, and it is these tactics that cyber security professionals struggle most against. It is also a risk that will soon heighten, thanks to AI-powered credential compromise, according to the same respondents.”

He adds that the problem is aggravated by poor password practices – from consolidating SaaS app logins in browsers to hard coding credentials – and can lead to more exposure for sensitive data. Even if users’ credentials are managed, it doesn’t necessarily mean they’re secure.

“It’s a tough time for business globally, amid an economic downturn, a continued cyber skills gap and long-term political instability. And for security professionals, there is the danger that threat actors are continually innovating to cause firms monetary and reputational damage,” says Higgins.

“Identity misconfigurations abound in hybrid and multicloud environments, and periods of workforce turnover make this problem even worse, not least because 52% percent of employees have access to sensitive corporate data. Fortunately, most organisations are automating access provisioning and de-provisioning, in order to shrink the attack surface, clean up misconfigured and unused access permissions and reduce risk exposure.”

Where organisations need to start is to conduct a comprehensive risk assessment. What are the risks faced? What is the probability and likelihood of attack? Where are the gaps that make your organisation vulnerable?

Focusing on passwords, many widely used applications are incompatible with – and therefore not protected by – your single sign-on (SSO) tool. They may well not use modern identity protocols. A risk assessment in this area would result in answering these questions:

  • Which apps live outside of SSO and how many are there? What kinds of data do these apps contain? Which apps bypass security policies?
  • Who in your workforce is using these apps?
  • For the high-risk apps, what controls and tools – if any – do you have in place for not merely managing them, but protecting them?

“As organisations go through this exercise, it’s important to keep the long game in mind, as securing the enterprise is an ongoing mission. Remember that as you bolster your password protection capabilities, you can build towards a holistic identity security approach that brings together a range of controls and solutions.

“Ultimately, though, statistics indicate that there are nearly 1 000 password attacks that occur globally, every second. This fact alone should be enough to ensure that security professionals begin to treat everyday employees’ credentials like the true operational risk they are, and start protecting them as if they all were privileged credentials,” concludes Higgins.