In May of 2020 we published our first research specific to identity-related breaches, Identity Security: A Work in Progress, in which we found that 94% of organizations had suffered an identity-related breach and 79% just in the last 2 years. In short, identity-related breaches were ubiquitous. Some organizations however, those with an identity-forward culture, had suffered far fewer breaches. The 2020 research was conducted before we truly understood the implications of the COVID-19 pandemic on our daily personal and work lives.
The results of this year’s research, 2021 Trends in Securing Digital Identities, makes it clear that the sudden shift to an online world had a significant impact on how organizations approach the people, process, and technology aspects of securing digital identities. COVID-19 put the spotlight on the importance of securing digital identities and provided the wakeup call that CISOs needed to elevate the role of identity in their security strategies and to support accelerated digital transformation initiatives.
Sponsored by the IDSA, the 2021 report is based on an online survey conducted by Dimensional Research. We surveyed more than 500 security and identity professionals from the United States who worked at companies with more than 1,000 employees. To provide some trend analysis, the questions for this survey were pulled from previous research, including The State of Identity: How Security Teams Reduce Risk (December 2019), which was focused on the organizational dynamics between identity and security teams, and Identity Security: A Work in Progress (May 2020), which focused on identity-related breaches and the implementation of preventative measures.
What trends emerged in the last year and where are we headed?
Breaches Still a Problem, Identity Defined Security Could Be the Cure
We found that identity-related breaches were essentially flat from last year (79% of organizations over the last 2 years, the same as our 2020 study). The leading cause remains the same, with phishing (68% vs 66% last year) as the primary attack method for stealing legitimate credentials and privilege abuse remains a distant second (28% vs 29%). Over the last year, cyber criminals continued to target users with legitimate-looking emails/websites, taking advantage of the disruption in our day to day lives and exploiting the major news headlines or important employee communications as the pandemic played out.
With a legitimate set of credentials, whether acquired through phishing or other methods, cyber criminals were able to execute attacks. According to 78% of organizations, these breaches had direct business impacts ranging from downtime to stolen data to financial repercussions.
In short, the good news is that we did not see an increase in identity-related breaches, despite the additional security challenges introduced with more identities, exponential remote access and more personal devices. The even better news is that most organizations (93%) believe that the recommendations of the IDSA, Identity Defined Security Outcomes published in May 2020, might have prevented or minimized the impact of the breaches they did suffer.
Identity Moves Closer to the Center of Security, and Zero Trust
The research also shows that identity and access management (IAM) has shifted focus to become critical to security strategies. In fact, 80% of the participants agree with the statement “Identity management used to just be about access, now it’s mostly about security” and 64% report that they have made changes to better align security and identity functions within the last two years. When surveyed in December of 2019, only a little over half (53%) said the security team had a leadership role with regard to IAM. However, in the latest survey, 87% report the CISO has a leadership role when it comes to IAM, signaling a major shift in ownership and the importance of securing digital identities.
With recent focus on Zero Trust approaches, it was no surprise that 93% of the participants said that Zero Trust is strategic to securing their organization. In addition to overwhelming adoption of Zero Trust, nearly all of the organizations (97%) agree that identity is a core part of implementing a Zero Trust strategy, echoing recommendations from the IDSA that The Path to Zero Trust Starts with Identity.
Investments in Identity Defined Security Accelerating
With 80% of organizations reporting an increased focus on identity security because of the pandemic shift to remote work, that focus is translating to investments in Identity Defined Security Outcomes. Those organizations where the CISO had some ownership of IAM are much further along in implementation.
Organizations that seem to be lagging behind have indicated that they will be working hard to catch up. At least 70% report they began implementation or planning of Identity Defined Security Outcomes in the past two years and 97% will make investments over the next two years. As mentioned above, 93% of organizations believed that these outcomes could have prevented or minimized the breach, so perhaps we will see a drop in identity-related breaches in the coming years.
The past year represented a significant disruption for organizations and increased the workload for most identity and security teams. It forced organizations to recognize the importance of securing digital identities, whether maintaining employee productivity through secure access from anywhere, using any device, or transforming engagement with customers to secure online services. If it hasn’t already happened, CISOs should seize this opportunity to elevate the importance of identity, not just in security strategies, but as an opportunity to provide business value through risk reduction, cost containment, increased productivity and improved digital user experiences.
- Learn more about Identity Defined Security and how it is changing security strategies. READ THE IDS FRAMEWORK WHITEPAPER.
- Evaluate your Identity and Access Management maturity and implement good hygiene. REVIEW OUR IAM BEST PRACTICES.
- Assess your security challenges and define outcomes and approaches. USE IDENTITY DEFINED SECURITY OUTCOMES TO BUILD YOUR ROADMAP.