It’s a thriving industry for criminals, insurance premiums for companies are getting higher by the year and regulators’ fines for breaches have even put some organisations out of business. The 2020 IDG Security Priorities Study found 49% of technology executives said their top security priority was protecting sensitive data.
For a long time, cyber protection relied on robust perimeter security to prevent unwelcome access. But now, four out of five corporate cybersecurity breaches occur because of compromised access rights or user credentials. That’s a headache for technology leaders, CISOs and boards, who all need to manage and mitigate the associated risks of a potential data breach while ensuring their tech stacks are digital ready.
Privileged Account Information is the Real Prize for Cyber Criminals
IAM and Governance should be robust
We know most companies have sufficient perimeter controls, like firewalls, to prevent external penetration. The real prize for malicious actors is getting hold of privileged account information – this has the highest ROI of any cyber-attack strategy.
Hackers can use sophisticated tools and social engineering techniques to obtain internal credentials to gain access to a company’s most valuable data, bypassing the security perimeter to get direct access to its systems and applications. But it’s not just criminals who can misuse accounts.
Internal data breaches are usually a result of insufficient controls, monitoring and systems in place at an organisation. Staff with the right access have access to valuable data and intellectual property (IP) to perform their jobs. And clever phishing campaigns by malicious parties can be effective in tricking employees into revealing their access credentials.
This is where a robust Identity and Access Governance strategy is important. This is the cornerstone of a winning cybersecurity framework. IAG defines the framework and practices to control what information and systems an individual account can and can’t access. It’s an important and complementary level of security that’s the internal back-up to your organisation’s traditional perimeter security solutions.
Company policy should cover the systems needed to keep corporate data safe, but also the processes that are necessary to support those systems.
An IAG framework covers two aspects of internal protection:
- Identity and Access Management: These are the levels of controls that allow certain individuals access to applications and technology assets.
- Privileged Access Management: This secures access to key privileged business and technology system accounts.
Strategies that include multi-factor authentication, zero trust and IAG as a service are key components of a robust approach to governing access. But access management can’t be left to technology alone.
Everyone in an organisation wants technology to do the policing, but it takes a long time to get to that point. Automation is a big investment, can be a lengthy endeavour and carries its own risks. And automating flaky manual processes will provide a veneer of cybersecurity confidence but doesn’t address the core issue.
User Accounts pose a significant cyber security threat and organisations should define their IAG structure accordingly
The IAG Approach
We’ll use an overview of the Francis North approach to provide a level of consideration for you to take from this piece.
We take an iterative approach to all our client engagements, and IAG is no exception. First, we’ll review the current policies, controls and procedures to ensure our client can manually execute and monitor them effectively. We’ve found that as companies hustled to become digital ready, their technology estates evolved rapidly to keep pace with business demand. Every system, even SaaS and cloud based, needs a suite of ID accounts that must be managed.
A considered approach is needed to manage all identities and what they can access. And, if you’re a multinational, there are laws and regulations governing how this must operate in different countries that need to be considered.
Our IAG approach is built on many years of experience operating across multiple regulated industry sectors.
Armed with this information, we’ll help define the client’s IAG strategy and deliver against that strategy with incremental quick wins, adopting a risk-based approach.
If a company’s security perimeter is breached, the IAG framework and technology will control and limit what each account can and can’t do. And when IAG is implemented well, then it’s faster and easier to monitor and manage risk and disable accounts if they’re being misused.
Francis North Group can make your IAG digital ready. Contact us to learn how we can help with identity access governance.
To view this original article on Francis North, please click here.
