Modern businesses need digital transformation, but this also makes the identity attack surface much bigger—because of the increase of cloud services, IoT devices and third-party integrations. Sadly, this has made identity very attractive to cybercriminals.
Hacking attempts are more frequent now, particularly as a result of lost credentials and the lack of additional controls like multifactor authentication. Organizations need to make identity security a priority and use strong cybersecurity frameworks in their digital transformation journeys.
Identity As The New Attack Surface
Very few organizations suffer data breaches because of their actual software—in fact, most are caused by people. Your team can either be your first line of defense or the weakest barrier to your critical data and systems. For example, it is reported that almost two-thirds of people reuse their passwords across multiple sites and software platforms, and around 13% have a single password for all of their accounts.
The reality is that most companies simply don’t have the right controls in place to manage this effectively. If an organization has a cybersecurity issue due to its people, the underlying source of the problem is that the organization hasn’t properly engineered the working environment to protect their information. What that means is, rather than thinking your people don’t change their passwords often enough (which is not a good solution), you’ve thought through what you need to do to protect your systems and people.
Imagine this scenario: You’re driving a car and, seconds before you’re about to have a collision, a little warning light comes on telling you to put your seatbelt on. Would this system prevent the impact of the crash? Of course not. That’s why we legislate that seatbelts must be worn at all times when riding in a moving vehicle. What’s more, we manufacture cars with airbags, anti-lock brakes, stability controls and all manner of safety features because we know people are going to make mistakes and have accidents.
It’s crucial to think of cybersecurity in the same way—making sure that the proper controls are in place to prevent incidents before they occur. You need to have robust procedures, systems, and working environment, and test all of these regularly. That way, the cybersecurity of your entire organization won’t hinge on whether Barry from Marketing clicks on a link, or Sue from Accounts reuses an old password.
What Are The Most Common Identity Hacks?
Social Engineering
Social engineering attacks deliberately manipulate individuals into disclosing sensitive information or granting access to restricted systems. These attacks are highly effective because they exploit human trust and emotions. According to a U.S. Government report, 98% of cyberattacks involve some form of social engineering. The most common technique is “phishing” where the victim receives an email that falsely claims to be from a legitimate organization.
Credential Stuffing
Credential stuffing is when a hacker uses stolen login credentials from a breached website to gain unauthorized access to user accounts on other platforms. This type of attack takes advantage of the fact that many people use the same passwords across multiple accounts. Credential stuffing represents 34% of all authentication traffic, which means that roughly one-third of all login attempts are fraudulent—and this figure skyrockets to over 80% in e-commerce websites.
Password Spraying
Password spraying is a brute force attack, where the cybercriminal uses a list of common passwords against multiple user accounts. This type of attack avoids account lockouts that occur when attempting multiple logins on the same account. In 2021, the U.S. Department of Homeland Security warned that password spraying attacks were on the rise, targeting government agencies and organizations. The risks can be minimized by avoiding the use of default or easily guessed passwords.
Account Takeover
An account takeover is when an attacker gains unauthorized access to a user’s account, often through methods like social engineering, credential stuffing or password spraying. Once the attacker has control, they can steal sensitive data, make fraudulent transactions or use the account for further attacks. In the U.S., 29% of adults have been victims of account takeover, with attacks increasing 354% year-on-year in 2023, resulting in nearly $13 billion in losses.
Protecting Identity And Access
In the current digital landscape, protecting identity and access must be a number one priority for organizations of all sizes to keep cybercriminals out of your systems and data. To quote Bob Lord, former CSO of the Democratic National Committee and Industry leader, “It’s imperative to Marie Kondo your cybersecurity—throw out what doesn’t spark joy.” With a few basic “tidying” decisions to streamline identity governance, you can achieve significant, immediate, measurable improvements in your identity security posture.
