In our latest blog, Amrit Bassi, IAM Managed Services Manager at our partner Securience talks about how organisations can manage digital risk using Identity and Access Management.
In this ever so competitive world, businesses are transforming themselves to increase their revenue while also focusing on improving their customer satisfaction (CSAT) score. To achieve this, there has been an increase in reliance on digital business operations and the adoption of modern technologies. This industry trend provides obvious business benefits; however, it also creates the potential for unwanted or unexpected digital risks.
Enter Risk Management, through which organisations identify, evaluate and manage risks within all business functions. To quantify the importance of risk management here’s an interesting statistic from Gartner:
“By 2020, 60% of digital businesses will suffer major service failures, due to the inability of IT security teams to manage digital risk.”
Let’s discuss some of the perceived common digital risks organisations face and the diverse ways to manage them.
Migration to Cloud Services
An organisation which migrates their data to the cloud are susceptible to cloud abuse. The data could be of any nature, including business applications on-boarded to the Identity and Access Management (IAM) solution. Hackers can exploit poorly secured cloud services to tangle the organisation in a complicated web of financial, reputational, and compliance risks. Further, limited visibility of these risks may lead to unwanted outcomes like data loss or worse, user credentials being stolen. The absence of mitigating controls for these risks further adds on to the predicament.
To mitigate these risks, organisations must have clarity on the requirements and the end-goal objectives for their cloud migration strategy. A risk assessment should be conducted to understand the risk associated with the migration. The development and implementation stage should be approached with methodical planning and heightened due diligence. Disaster recovery and reversibility strategy should be designed, tested and implemented. If the IAM system supports risk-based scoring, it can be utilised for risk prioritisation as well before the mitigation steps are implemented.
Insider threat is when a current or a former employee uses their access to compromise the confidentiality, integrity or availability of an organisation’s asset. This act can be either intentional or accidental. This is a significant risk due to the increase in digital transformation and connectivity, and expansion to third party vendors. According to the 2019 Insider threat survey report, “73% of organisations confirm insider attacks are becoming more frequent”. The greatest risk any organisation faces is human error. An untrained or negligent employee can cause irreparable damage, and this risk multiplies when you include remote workers and third-party vendors.
Like any risk, insider threat needs to be prevented, detected, and monitored using appropriate control measures. One of the most effective ways to mitigate this is through appropriate training and education, but this should be underpinned by strong foundational IAM capabilities like Joiner, Mover, Leaver (JML) and segregation of duties (SoD) policies.
Absence of Multi-Factor Authentication (MFA) Solution
A 2019 Verizon report states that around 80% of data breaches are due to stolen or weak credentials.
Single-factor authentication (SFA) has never been so vulnerable. Just relying on “something you know” aka your password provides very little protection. Modern sophisticated systems are utilised to run through millions of password combinations in seconds. Armed with the power of artificial intelligence (AI) and machine learning (ML), these systems keep evolving and pose a big threat to users.
To mitigate the risk associated with the use of SFA, an organisation should consider upgrading to an MFA solution. This will provide an additional layer of protection by introducing the concept of “something you have” aka a PIN or a token and “something you are” aka biometrics or fingerprint. More layers provide defence-in-depth protection against modern threats.
Social Engineering Attacks
Simply put, it’s the process of manipulating a user into giving up confidential information. The information stolen by a fraudster ranges from passwords to bank details or even gaining access to the organisation systems for malicious activities. Social engineering tactics are quite successful as it relies on a human being’s instinct to trust and cooperate.
Some of the most common social engineer techniques include:
Phishing attacks – Involves sending over a fraudulent email disguised to be a legitimate email. Normally to deceive the user to share personal information, banking details or to install malware; all this through a harmless looking link.
Vishing – Similar to phishing but through a phone call.
Tailgating – Also known as piggybacking, this is used to gain access to secure locations by following an authorised person with access. It relies on the unsuspecting victim making the assumption they are allowed to be there.
Social engineering is based on human interaction to fraudulently obtain information or compromise assets or data. To mitigate, organisations should educate their workforce about common attacks and the myriad of ways they can be successfully executed. Additionally, organisations should invest in intrusion detection (IDS) and intrusion prevention (IPS), and anti-malware systems to protect their assets.
Absence of Privileged Access Management (PAM)
Forrester estimates that 80% of data breaches involve privileged accounts. Privileged accounts are the highest levels of system accounts with elevated permissions, also known as an organisation’s ‘keys to the kingdom’. They are predominantly used by IT administrators to manage applications, servers, user directories among other platforms.
Some studies have revealed that a majority of data breach incidents involve privileged accounts being comprised via social engineering and on an average, most compromised systems go unnoticed for as long as 200 days.
An organisation needs to maintain its inventory of all privileged accounts through a discovery programme to achieve comprehensive visibility. The accounts should subsequently be managed through a PAM solution by implementing password vaulting, threat analytics, session monitoring, and session recording as a bare minimum.