Problem 4 of 7 Things Wrong with Mid-Market Cyber Security
All too often, businesses are so focused on keeping attackers out that they forget another, even more troubling source of risk: their own employees. ‘Insider threat’ is the risk of a breach enabled, caused, or carried out by an authorised user. It’s growing exponentially as the cloud pushes data ever further across ever-larger networks, necessitating increasingly complex access arrangements. And the result, according to data from ID Watchdog, is that a whopping 60 percent of data breaches in 2020 were connected to or resulted from insiders.1
Traditional identity measures are fast becoming irrelevant
Here’s an example to show the scale of the problem. Eighty-one percent of data breaches start with a stolen or weak login credential2 – because passwords are just too easy to compromise. Every time a major attack hits the headlines, with user data spilling out onto the internet like oil from a tanker, chances are some of your employees’ passwords are in the flood.
If they reuse those passwords across multiple sites (which a recent Google survey suggests around two thirds of them do) then your systems are at risk. All it takes is for an attacker to buy an employee’s login details from the leak, connect that person with your company, try their details on your system – and the digital door swings wide open. To make it worse, there’s nothing in that process that would trigger traditional security systems – so your newest ‘employee’ could theoretically wander around inside your systems undetected for days on end.
The risk associated with employees doesn’t stop at the weakness of traditional passwords. One-time password (OTP) systems briefly offered a solution, but as attacks have grown more sophisticated, OTPs sent by legacy systems have become vulnerable to interception, phishing, and man-in-the-middle attacks.
And of course, all this assumes the employee is an innocent party. But in most cases, ‘insider threat’ means a breach of trust rather than a breach of security. The reality is that malicious activity does happen – whether for financial gain, in response to perceived mistreatment, or in service of a new employer. Unless identity services are up to the challenge, movers and leavers can retain access to sensitive data for far longer than they should.
Security vs usability conundrum So, the question for mid-market businesses is: what to do? The temptation can be to do the cloud equivalent of locking everything into a big chest, behind a gate, over a drawbridge, digging a moat, and then requiring a different kind of ID to get through each barrier. Then, you think, our information will be secure.
The problem is, if your ID management is too good, it stops your employees from doing their jobs. Nothing brings productivity grinding to a halt quite like the inability to quickly open your documents, share information with other departments, or copy numbers from a spreadsheet into an email. Blanket OTP systems are already widely unpopular with many employees, forcing them to break away from their tasks at random intervals to convince their suddenly suspicious email servers that they are, in fact, who they say they are.
Somewhere between these two divergent business needs – for security and usability – there needs to be a better way.
Autonomous, integrated identity management
Thankfully, it’s not just the attackers who’ve been getting increasingly sophisticated. As businesses shift to the cloud, building larger, more complex data landscapes, security technology is evolving to match. Businesses need to take advantage of these developments to create a Zero Trust environment, starting by protecting threats on the inside and working outwards, rather than vice versa.
Through intelligent, autonomous technology, businesses can implement systems that analyse far more than just a password or one-time code to determine whether a particular user gets access to a particular system. As cloud moves security closer to the user, IP addresses, past behaviour, endpoint ID, even geolocation and the time of day – all these data points can be gathered and analysed by an intelligent identity-as-a-service platform, and then used to decide on the spot whether an access request should be granted.
If for example, a mid-level sales executive from Basingstoke suddenly inputs their password from a township in Belize at two o’clock in the morning and tries to access the finance team’s file server – the system will spot the risk and lock them out until checks can be undertaken. That’s an extreme example, but an advanced, autonomous identity system can carry out thousands of these checks simultaneously, identifying and isolating much more subtle risks at speed.
That’s not to say that passwords and multi-factor authentication should be ditched altogether. Belt and braces is always the best policy when it comes to data security. To ensure they’re fully protected, companies should move controls closer to the user or device, reduce services delivered from DMZs and make sure users are segmented from the data centre network.
But it is to say that there’s a more nuanced, unobtrusive way to elevate security levels that doesn’t make employees feel like they’re constantly being locked out of essential systems. The key ability for businesses to invest in is autonomous, AI-backed detection and response. That way, if the business is logging all user and application layer activity, their systems will be able to rapidly integrate threat data from every possible entry point (not just end-user devices or emails) and take appropriate action faster than humanly possible.
As cloud-native business increasingly becomes the norm, anything less is undeniably a risk. Either to employees’ productivity – or to organisations’ data, reputation, and business viability.
Join the mid-market revolution. Sign up to receive our ‘7 things Wrong with Mid-Market Security’ Report: