If we’d take a moment to pull our heads out of the sand and look around, we’d quickly see that we’re on an ominous trajectory. There’s no arguing that over the last several years, we’ve been suffering from increasing numbers of breaches, cyberhacks and data leaks.
What’s truly puzzling is the fact that we’ve grown so used to the headlines, they no longer seem to impact us: Target spent $250 million to manage a breach? A massive 1 terabytes per second attack against a DNS provider that knocks out major websites? One billion Yahoo identities hacked? Even a hacked election?
All of it shrugged off after the initial outrage.
You’d think the American public would rise out of their slumber and insist on the protection of their identities, their privacy and their finances. You’d think companies and governments would be screaming to keep their brands out of the headlines and avoid the multi-million-dollar associated costs. You’d think businesses across all sectors would be looking at the security industry and demanding the issue be addressed with speed, strength and ingenuity. But despite the fact that it‘s crystal clear that security companies are not adequately protecting their customers, the vast majority of us stop banging the drum. So, allow me:
If you’re a business or government paying a security company hundreds of thousands to millions of dollars to protect your business, and yet you’re suffering multiple security breaches, you have a problem. The problem is that your security providers are taking an obsolete approach that is not capable of effectively protecting your organization against breaches.
Did you ever wonder why there isn’t a moat around your business? It’s because moat technology is obsolete — marauders found better ways into your castle. It’s not that different from modern-day cybersecurity. The perimeter disintegrated years ago, and we’re still building moats.
Forrester research findings
A study we recently conducted with Forrester research found that two-thirds of the organizations polled had experienced an average of five security breaches in the last two years, and hackers compromised more than one billion identities in 2016. That’s 2.74 million identities each day, which translates to over 100,000 every hour. That sounds like a tipping point, no?
Just a few years ago, organizations could rely on a combination of firewalls and endpoint security tools to protect their assets. Those days are over. Today, the perimeter has been obliterated by millions of cloud-based applications and billions of mobile devices that have rendered the most powerful security solutions of the last decade virtually obsolete. And get ready for the more than 50 billion internet of things (IoT) devices that will certainly wipe out any remaining outdated security practices – most especially the password.
Will a shift in focus buck the trend?
The Forrester research study, which surveyed IT security professionals from an array of organizations, was able to identify one group of companies that was bucking the trend. In fact, this group was 43 percent less likely to suffer a network breach, and 46 percent less likely to suffer either a server breach, or a breach of cloud apps.
What do these companies know that others don’t? They know that in this new paradigm, it’s no longer the perimeter that’s being targeted in breaches — they know that their users’ identities and passwords have become the primary targets. In fact, Verizon reported last year that two-thirds of data breaches involved stolen usernames and passwords, and Forrester also found that 80% of breaches involved the misuse of privileged accounts that had “super user” permissions on networks, servers and apps.
So these companies have responded by taking a serious, integrated approach to identity and access management that address both end user and privileged accounts.
In a nutshell, Forrester divided companies into groups based on how they had responded to evolving threats over time. At one end of the spectrum were those that had instituted multiple technologies and best practices aimed at securing the identities of users -- and also carefully managing their specific privileges once inside the network. At the other end were those that had only initiated basic programs or tactical solutions.
The result was that those less mature (83% of organizations) in their approach to identity management experienced more than twice the number of breaches, and suffered $5 million more in financial damages. This suggests that the technologies and practices do exist – it’s the mindset that has to evolve.
We have to understand that the game has changed and that to protect the organization, we have to meticulously manage and protect the identities that are accessing it. In other words, if we can fix the problem of too many passwords and too much privilege, we can significantly decrease the number of breaches — and in fact the Forrester report showed by nearly half.
The tipping point
So, what is the tipping point? Most security experts aren’t sure. It looks increasingly like we have two options:
One, we hit a tipping point where we become aware of the dangers of ignoring the issues snow-balling around us and we accept responsibility and aggressively rethink our security strategies. Moving to the next dimension of security will be essential to prevent the mass-criminalization of the Internet. This would allow us to embrace new technologies with relative ease and propel us into the future.
Two, we continue to stick our heads in the sand, and breaches continue to impact every aspect of our lives — from our politics to our communications to our finances — until we’re paralyzed by a lack of trust.
I don’t think we can overstate the impact of what a complete loss of trust would mean to our future. Without trust, how can we continue to use the technologies we have, much less adopt new ones? With the current state of security, would we ever be able to climb into an internet-connected, self-driving vehicle with any level of confidence? Think about that.