If we open our eyes, we can see we’re on a dangerous trajectory. In recent years, our world has suffered from increasingly frequent security breaches, cyberhacks and data leaks.
What’s truly puzzling is that we’ve grown so used to the headlines, they no longer shock us: Target spent $250 million to manage a breach? Major websites knocked out by a massive one terabyte per second attack against a DNS provider? One billion Yahoo identities hacked? Even a hacked election?
After the initial outrage, the latest security onslaught is just shrugged off.
You’d think the public would insist on protecting their identities, their privacy and their finances. You’d think companies and governments would fight to keep their brands out of the headlines and avoid associated multi-million-dollar costs. You’d think businesses across all sectors would demand that the security industry address this issue with speed, strength and ingenuity.
But, although it‘s crystal clear that security companies are not adequately protecting their customers, the vast majority of us are mute on the subject.
So, let me speak up.
If you’re a business or government agency paying hundreds of thousands to millions of dollars to a security company to protect your business, and yet you suffer multiple security breaches, you have a problem. The problem is that your security providers are taking an obsolete approach that cannot effectively protect your organisation against breaches.
Do you ever wonder why there isn’t a moat around your business?
It’s because moat technology is obsolete. Marauders found better ways to invade your castle.
This moat metaphor applies to modern-day cybersecurity. Through the perimeter disintegrated years ago, we’re still building moats.
A recent study Centrify conducted with Forrester research found that two-thirds of organisations polled had experienced an average of five security breaches in the past two years. Hackers compromised more than one billion identities in 2016: That’s 2.74 million identities each day - more than 100,000 every hour! That sounds like a tipping point, no?
Just a few years ago, organisations could rely on a combination of firewalls and endpoint security tools to protect their assets. Those days are over.
Today, the perimeter is obliterated by the onslaught of millions of cloud-based application users and billions of mobile devices that have rendered the most powerful security solutions of the past decade virtually obsolete.
Tomorrow, more than 50 billion Internet of Things (IoT) devices will certainly wipe out any remaining outdated security practices – most especially the password.
The Forrester research study, which surveyed IT security professionals from an array of organisations, identified one group of companies that is bucking the trend.
Forrester found this group was 43 per cent less likely to suffer a network breach, and 46 per cent less likely to suffer either a server breach or a breach of cloud apps.
What do these companies know that others don’t?
They know that breaches no longer target the perimeter - they recognise the primary targets are now the identities and passwords of their users.
Last year, Verizon reported that two-thirds of data breaches involved stolen usernames and passwords. Forrester also found that 80 per cent of breaches involved the misuse of privileged accounts that had “super user” permissions on networks, servers and apps.
So these companies have responded by taking a serious, integrated approach to Identity and Access Management (IAM) that addresses both end user and privileged accounts.
In a nutshell, Forrester divided companies into groups based on how they had responded to evolving threats over time. At one end of the spectrum were organisations that had instituted multiple technologies and best practices aimed at securing the identities of users — and also carefully managing their specific privileges once inside the network.
At the other end were those that had only initiated basic programs or tactical solutions.
The result was that the 83 per cent of organisations that were less mature in their approach to Identity Management experienced more than twice the number of breaches and suffered $5 million more in financial damages.
This suggests that the technologies and practices do exist – it’s the mindset that has to evolve. We need to understand that the game has changed. To protect your organisation, we must meticulously manage and protect the identities that access it.
In other words, if we can solve the problem of too many passwords and too much privilege, we can significantly reduce the number of breaches — by nearly half according to the Forrester report!
So, what is the tipping point? While most security experts aren’t sure, it looks like we face two options.
One, we acknowledge this new paradigm, we accept responsibility and we aggressively rethink our security strategies.
Moving to this next dimension of security is vital to prevent the mass-criminalisation of the Internet. This would allow us to embrace new technologies with relative ease and propel us into the future.
Otherwise, we keep our eyes closed to the dangers of the security threats that are snowballing around us, data breaches continue to impact every aspect of our lives — from our communications and our finances to our politics - until we are paralysed by a lack of trust.
We can’t overstate the impact of what a complete loss of trust would mean to our future. Without trust, how can we continue to use the technologies we have, much less adopt new ones?
With today’s current state of security, how can we expect to climb into an Internet-connected, self-driving vehicle with any level of confidence?
Think about that.
Tom Kemp, CEO, Centrify Corporation