Passwords are our Achilles Heel: It’s time for a fresh approach

By Andy Heather, General Manager and Vice President EMEA, Centrify
Published: 23 February 2017

Hackers got hold of over one billion identities last year, as data breach incidents just kept on escalating. If ever a stat highlighted the failure of current approaches to protect corporate systems, it’s this one. In fact, two-thirds of organisations have experienced an average of five breaches over the past two years, according to Forrester. The tens of billions of pounds CIOs invest in security every year just aren’t getting to the heart of the problem: passwords.

Nearly two-thirds (63%) of data breaches involve weak, default or stolen passwords, according to Verizon. To stand any chance of success, organisations desperately need to rethink their approach to security. And this must start with a new focus on increasing the maturity of their Identity & Access Management (IAM) programmes.

Accounts under attack
Why are passwords the Achilles heel of modern IT systems? Because they can be easily compromised via phishing attacks and/or info-stealing malware, allowing attackers to walk right through the virtual front door to the organisation. Privileged account credentials – such as those belonging to IT admins – are particularly highly prized as they can offer unfettered access to stores of highly sensitive IP and customer data. In fact, Forrester estimates that 80% of breaches involve these log-ins.

Think IT staff manage their passwords more securely than regular users? Think again. Frequently they’re guilty of the same bad habits: simple, easy to guess or crack credentials, extensive password reuse and even log-ins written down on post-it notes. And even if your staff are strictly vetted and managed, can you say the same for your contractors – often targeted by hackers as one of the weakest links in cybersecurity? By maintaining this outdated approach to identity and access management, we’re making the hackers’ job way too easy.

Today’s CIOs and CISOs are also responsible for increasingly complex and siloed IT environments – multiplying the volume of passwords and identities that need to be managed securely. As well as exposing organisations to increased risk of a breach, multiple identity siloes can create a compliance nightmare if named users can’t be associated with related activity, access controls and role-based privileges.

The growth of cloud, virtual and now Internet of Things (IoT) systems will only continue to escalate these challenges. And they could have a catastrophic impact if not properly managed. The coming European General Data Protection Regulation (GDPR), for example, will levy fines of up to 4% of annual global turnover for serious privacy breaches. That’s not to mention the impact of reputational damage on customer churn and share price. It’s no surprise that the average cost of a data breach to UK firms stood at over £2.5m last year. 

A fresh approach
IT leaders therefore need to focus on improving the maturity of their IAM programmes. Try minimising the number of privileged accounts in the organisation. This can be done quite simply and will start the process of reducing your attack surface. By limiting lateral movement inside the organisation and enforcing a “least privilege” approach – that is, granting users only enough privileges to do their job and no more – you can make it harder for attackers to accomplish their goals.

For example, by restricting user access to specific systems and even within those systems to specific commands, it becomes more difficult for hackers to find the handful of IT staff with the right privileges they need to access targeted data. Also consider automated systems to provision and de-provision privileges for specific limited time periods – further restricting access to users, and therefore any attackers that might be inside your network. Monitoring and logging those privileged accounts is also a great way to spot any unusual activity and enforce best practice IAM.

Phasing out passwords
But we need to go further. In a world where passwords are susceptible to compromise and have grown to the point where they can no longer be managed effectively, organisations must look to multi-factor authentication (MFA). This is an easy win for IT leaders looking to improve IAM as it adds an extra layer of security at log-in – typically through biometrics or a one-time generated passcode.

Try combining this with Single Sign-On (SSO), designed to improve the user experience by consolidating access across multiple systems. SSO will also help reduce identity siloes and therefore improve visibility and compliance efforts. Ally this to a risk-based approach which will take account of various factors such as the user’s geographic location, role, and past behaviour to only enforce MFA when if the log-in attempt is assessed as high risk. This makes the whole process even more straightforward and friction-free for the user whilst maintaining maximum security for the organisation.

The results speak for themselves. Forrester claims that organisations with the highest IAM maturity suffer half the number of breaches experienced by the least mature. This could have a very real impact on the bottom line, by saving an estimated 40% in technology costs and an average of $5m (£4m) in breach costs.

It’s time to stop throwing money away on security investments and get to the heart of the problem, by rethinking how you authenticate and manage your users.