Six weeks ago, we celebrated World Password Day. Yet, unfortunately, not much has changed since last year. Cyber breaches are bigger and worse than ever. Hardly a week goes by without headlines about some new devastating cyber-attack. In fact, a CyberEdge report (PDF) found that a stunning 77 percent of surveyed organizations had suffered a breach over the past year.
And, when it comes to breaches, all roads still lead to identity. Hackers don’t hack in anymore—they log in using weak, default, stolen, or otherwise compromised credentials. Several studies have found that privileged credential abuse is involved in the majority of breaches, and many organizations are not taking basic steps to prevent it.
Shockingly, 52% of respondents to a Centrify survey said they do not have a password vault, and 21% still have not implemented multi-factor authentication (MFA) for privileged administrative access. Privileged credentials provide cyber adversaries with the “keys to the kingdom” and perfect cover for their data exfiltration efforts.
The reality is that many breaches can be prevented by some of the most basic privileged access management (PAM) tactics and solutions, coupled with a Zero Trust approach. Yet most organization are investing the largest chunk of their security budget on protecting the network perimeter rather than focusing on security controls which can address the leading attack vector: privileged access abuse.
This is a big mistake. Organizations need to make privileged access management a top priority. Gartner has listed PAM on its Top 10 Security Projects for the past two years for good reason.
Here are three best practices for preventing identity-based compromises:
Go Beyond Passwords
Static passwords are no longer enough, especially for sensitive enterprise systems and data. There is no way to determine if the user accessing data is the valid user or just someone who bought a compromised password from the 21 million that were revealed in the recent Collections #1 breach. Thus, static passwords can no longer be trusted. Organizations need to realize that MFA is the lowest hanging fruit for protecting against compromised credentials.
Less is More
Gartner estimates that global spending on cyber security will hit $137 million annually in 2019, yet the breaches keep on coming. That’s probably because a large percentage of that money is being funneled into solutions that don’t address high priority security threats and the expanding attack surface of digital enterprises. Hackers, for their part, are shifting their tactics and targeting the path of least resistance: namely, identity. They realize that it only takes one person still using “123456” as their password to ransack an organization.
Companies of all sizes, across all industries must get more strategic about how and where they allocate their security dollars. Instead of pouring more money into a shotgun approach to security, organizations need a more focused strategy oriented on purchasing the highest reward tools. Since privileged access is now a leading attack vector, that is where the smart money should be going. If we assume hackers are already in the network, does it make sense to spend more money hardening the perimeter, or rather on restricting movement inside the network?
Trust Zero Trust
Zero Trust means trusting no one – not even known users or devices – until they have been verified and validated. Zero Trust Privilege helps enterprises grant least privilege access based on verifying who is requesting access, the context of the request, and the risk level of the access environment. Accounts with access to sensitive data should be given the ‘least amount of privilege’ and only for the period of time it is needed, then it should be revoked. A Zero Trust Privilege model ensures all access to services must be authenticated, authorized, and encrypted. This approach can help companies avoid becoming the next breach poster child, as well as the brand damage, customer loss, and value degradation that typically comes with it.
Organizations must assume that bad actors are in their networks already. Before next year’s World Password Day anniversary, companies across all industries should consider moving to a Zero Trust approach, powered by additional security measures such as multi-factor authentication (MFA), to stay ahead of the security curve and leave passwords behind for good.