The report also found that 84% experienced an identity-related breach or attack that used stolen credentials in the past 18 months.
Of the companies that reported a breach, the most significant aspect of the event included the following: 35% reported loss of sensitive data; 31% experienced financial loss through loss of business; 30% suffered brand/reputation damage; and 29% cited business downtime.
Finally, some 75% believe they’ll fall short of protecting privileged identities because they won’t get the support they need. A major reason: 63% say the company's board still does not fully understand identity security and the role it plays in securing business operations.
“While many organizations are on the right path to securing and reducing cyber risks to the business, the challenge is that large security gaps still exist for attackers to take advantage of, and this includes securing privileged identities,” said Joseph Carson, chief security scientist and advisory CISO at Delinea. “An attacker only needs to find one privileged account. When businesses still have many privileged identities left unprotected, such as application and machine identities, attackers will continue to exploit and impact businesses operations in return for a ransom payment.”
A big challenge for organizations to secure identities is the prevalence of identities tied to mobility and cloud environments, increasing the complexity of securing identities, Carson added. Businesses still attempt to try to secure them with the existing security technologies, which don't necessarily address the risk.
“This results in many security gaps and limitations,” Carson said. “Some businesses even fall short by trying to checkbox security identities with simple password managers. However, this still means relying on business users to make good security decisions. To secure identities, you must first have a good strategy and plan in place. This means understanding the types of privileged identities that exist in the business and using security technology that is designed to discover and protect them.”
Jasmine Henry, field security director at JupiterOne, added that as with any technology, ultimately, clients are responsible for securing their organization’s data and identities. Henry said the cloud provider is responsible for the security of the cloud, the client is responsible for security in the cloud, including data, app configurations, and network controls in the cloud.
“Organizations must make security a priority rather than an afterthought,” Henry said. “They should implement cyber hygiene basics, including mandatory security training across the entire organization, enforcing policies and data governance, managing identity and access controls, and clear visibility of cyber assets with automated asset inventory.”
Hank Schless, senior manager, security solutions at Lookout, said with so much sensitive data stored in cloud services that people can access from any device on any network, ensuring sufficient identity and credential management has become critical to securing the enterprise. Schless said attackers no longer try to brute force their way into enterprise infrastructure.
“With so many ways to compromise and steal corporate credentials, the preferred tactic is to pose as a legitimate user to avoid detection,” Schless said. “Organizations should be sure they have proper identity and credential management processes in place, but also need to understand the context under which users log into their infrastructure, how they access sensitive data, and what they do with it. Anomalies along the line can be indicative of malicious behavior due to compromised credentials.”