Identities are an organization’s most significant vulnerability. Trust no one, verify everyone.
Remember Kevin, the kid from “Home Alone”?
After waking up to find that his family had left him behind, he saw two burglars trying to break into his home. Despite his commendable efforts to secure his house from these intruders, there came a point where he had to face facts – they’re going to get in.
That’s when he really pulled out all the stops – scattering Christmas ornaments on the floor, tarring the basement stairs. Essentially, doing all he can to keep what’s valued, safe.
Now, think about this for your own organization’s network – how well protected is it? Are perimeter protections really enough? Or are unauthorized users already in the network?
Organizations today should take the same mindset – to trust no one, assume the intruders are already in the network, and create a series of challenges to limit movements and keep them from the most critical systems and data.
Just like the burglars’ will to break into Kevin’s house, Mobility, cloud, IoT, and social media are today’s muse for intruders to access an organization’s network. With each new attack surface comes the opportunity to leverage trusted identities without proper access controls.
Despite spending billions on cyber security and risk management, organizations are losing the fight to protect sensitive information. Employees, partners, contractors, and customers can connect anytime, anywhere from any device to any resource. These freedoms make their identities prime targets for criminal hackers, who have wasted no time using them to raid accounts and data.
Identity is the primary attack vector
In 2018, the SingHealth data breach saw 1.5 million patients’ personal particulars and another 160,000 outpatient medication records illegally accessed by a hacker who was able to stay within the network for months, without detection.
More recently, Sephora Southeast Asia was responsible for the leakage of 3.2 million customer records. What was most alarming was the fact that no major vulnerability was found on Sephora’s website, and no cyberattack could actually be traced.
Criminal hackers tie 70% of their breaches to user activity, according to Forrester. In a survey conducted by the leading Privileged Access Management vendor Centrify, and the Dow Jones Customer Intelligence team, 62% of CEOs inaccurately cite malware as the primary threat to cybersecurity, yet only 8% of all executives said that anti-malware endpoint security would have prevented the “significant breaches with serious consequences” that they experienced.
An AT Kearney survey last year emphasized that organizations in the ASEAN region must secure a sustained commitment to address its cybersecurity gap and build the next wave of cybersecurity capability. Compared to the global average spending on cybersecurity of 0.13% (as percent of GDP), the ASEAN region invests just 0.06% of its combined GDP on cybersecurity.
The region’s expanding digitalization only makes it an even greater target. According to a survey by a global professional services firm Marsh and McLennan, organizations in Asia are 80% more likely to be cyberattacked.
Bottomline: Something must change. Today’s security is not secure.
The new reality: never trust, always verify
Cyber-attackers today are looking for the easiest way in. So, they no longer “hack” in – they log in using our own weak, default, stolen or otherwise compromised credentials against the organization. Identities can slip from good to bad at any point.
With the explosion of new attack surfaces and unwieldy identities, the old cybersecurity adage of “trust but verify” no longer applies. The new mandate is “never trust, always verify” – a Zero Trust approach is paramount for all organizations today.
Credentials, especially those for administrators with privileged access to critical systems, are the keys to your kingdom and your most significant vulnerability.
Perimeter security is not enough to protect today’s world. It would be like continuing to invest in the moat when the castle of the kingdom no longer exists.
By delivering cloud-ready Zero Trust Privilege to secure modern enterprise attack surfaces, Centrify helps customers grant least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment. By implementing least privilege access, Centrify minimizes the attack surface, improves audit and compliance visibility, and reduces risk, complexity and costs for the modern, hybrid enterprise.