How do you know your identity security delivers?
Identity provides the keys to the digital kingdom. Criminals know this, which is why phishing remains one of the most prolific forms of cyber crime. Phishing attempts to con users into giving up login details or installing harmful software, usually duping them with promises of rewards (you have lotto winnings waiting) or dire threats (your bank account was breached – change your password now). Some mimic invoice attachments or funny pictures; anything that will get you to click.
Phishing is very effective, comprising between a quarter and a third of all cyber crime attacks. In 2019, the FBI ranked it as the most common form of internet crime, and according to UK government research, phishing attacks targeted 83% of small businesses, while the average cost of a data breach in 2022 stood at USD$4.54 million.
Most phishing attacks target identity, and practically all cyber crime at some point tries to steal account credentials that will get them closer to their goal. It's no surprise that identity security is high on executive agendas. But perception and reality are not aligned.
"Our research shows that there is a big perception gap between how C-level executives and functional IT security leaders and practitioners view their organisation’s ability to mitigate risk," says Amita Potnis, director of brand and thought leadership at CyberArk. "We're also noting a growing impatience among executives to see returns on investment given the growing spend on identity security. It's very important that companies close these gaps by recognising that investment in identity security is just the start, but the ROI will be delivered with the right implementation through integrations, automation and continuous threat detection and response.”
A perception gap
There is little doubt that identity security is essential. According to Enterprise Strategy Group’s ‘The Holistic Identity Security Maturity Model report 2023’ (sponsored by CyberArk), 81% of respondents plan to spend 10% or more of their cyber security budget on identity security.
Sixty-one percent of C-level executives believe their identity security will identify malicious behaviour with greater certainty, yet only 41% of others in their organisation agree. This gap in perception appears in other areas: 69% of executives think their identity security will reduce security response time, while only 49% of other employees agree. Sixty percent say it will reduce their attack surfaces (compared to 50%).
But this belief is misplaced: the same report indicates that 58% of all respondents felt their organisations made the right identity security choice, yet 63% of organisations in the same survey group fell victim to identity-related attacks.
"We're seeing a big difference in perceptions about identity security and this is leading to two problems," says Potnis. "It means companies are less secure than they think and it's also creating misunderstandings between groups that should work together for effective security."
Executives want results
Research firm IDC predicts that CEOs, exhausted by constant security spending, will, by 2025, start demanding security metrics and results measurements to justify their investments. CyberArk predicts it will happen even sooner, says Potnis: "The growing rate of cyber crime attacks is already making the C-level more sensitive to security matters. Companies are also spending more on security in response – the leading outcome of a successful cyber attack is increased spending on security. But spending more on security does not mean you get better security."
This trend will clash with the second leading reaction to a cyber attack: boards and leaders expecting more regular updates on security matters: "The situation can lead to a perfect storm of overspending and reporting without sufficient visible results. Yet at the same time, those companies will still have insufficient cyber security staff numbers and inadequate in-house expertise for high-priority areas such as identity security, and no specific line-item budget for identity security."
Four ways to measure identity security
Fortunately, the situation is salvageable. If everyone is on the same page on evaluating identity security, they will know whether those investments deliver. They can achieve this outcome if they follow four key areas:
- Identity security tools must span management, privileged controls, governance, authentication and authorisation for all human and machine identities.
- Integrate identity security tools with IT and security solutions, securing access to all corporate assets and the entire IT estate.
- Implement automation for continuous compliance with policies, industry standards and regulations. Automation also enables rapid responses to high-volume routine and anomalous events.
- Use continuous threat detection and response for a solid understanding of baseline identity behaviours and suitable reactions.
"One of security's big fallacies is that the more security you buy, the safer you are," says Potnis. "But that's like saying the more musicians you have in a band, the better it will sound. We know that's not true, and it's not true for security – especially something as ever-present as identity security. A good start in overcoming this perception is to agree on what an effective strategy looks like, using these four areas as a framework."
According to CyberArk's research, 85% of companies expect to use three or more public cloud service providers in 2023. While that is great for business agility and time to market, it's a big risk for security. Identity security is key to reducing those risks. The sooner organisations agree on how to measure if their identity security delivers, the more they will be prepared to avoid trouble down the road, or at least be able to deal with it more effectively.