Cyber Identity Theft is the Biggest Cause of Breaches

Posted on by Robert Ackerman

Many cybersecurity pros like to say that a secure company is a successful company, and this may seem like hyperbole. After all, many other factors also ultimately determine success, such as the quality of a company’s products or services, sufficiently savvy marketing, and the expertise of executives.

Nonetheless, a strong case can be made that good security today requires strong identity protection above all else because most of the other functions of an organization could be compromised if an employee’s identity is breached. Serious cyberthreats are a massive burden for most organizations, both financially and in terms of stress and managerial downtime. Moreover, a breach can undermine corporate reputations for years.

So what are enterprises and other types of organizations doing about this? In many cases, not enough.

They are aware of the link between identity and security but too often fail to grasp that good identity protection has become crucial to the point that threat actors are increasingly targeting identities instead of systems. Identity has become the new security perimeter.

According to the latest report by the Identity Defined Security Alliance (IDSA), a provider of education and resources to help organizations reduce the risk of a breach by combining identity and security strategies, a whopping 84 percent of more than 500 sizable US organizations said they experienced an identity-related breach over roughly the past year. In addition, most of them said these breaches could have been prevented or minimized by implementing identity-focused security outcomes.

This is a particularly costly problem.

According to IBM’s 2022 Cost of a Data Breach report, the cost of an average data breach in the United States is $9.4 million—more than twice as much as the average worldwide. Identity-related breaches were most common and took the longest to identify—327 days—because it’s often very difficult to differentiate between the user’s typical behavior and that of the hacker who has usurped an identity. The longer it takes to identify the perpetrator, the bigger the corporate expense.

Identity-related attacks have become by far the weakest link in the chain and hence a chief culprit of cybersecurity breaches.

There are several reasons cybercriminals have come to favor identity-related attacks. One is that more identities translate into a larger attack surface. The number of identities in organizations is growing quickly due, among other things, to an increase in the number of employees using technology, more third-party relationships, and spikes in machine identities, such as bots.

Another reason ultimately boils down to common sense—compromising identities is far easier than comprising systems. A cybercriminal who wants to hack a system needs a detailed understanding of the systems in place and how they operate and communicate. In addition, systems today are typically protected by layers of advanced cybersecurity defenses, which are harder to crack. Compromising an employee’s identity is easier. An attacker, for instance, can initiate a phishing campaign to get what he’s looking for. Once successful, the hacker can masquerade as a legitimate user and access sensitive resources through legitimate channels.

Also noteworthy, recent studies show that the majority of workers in a typical organization have access to sensitive information.

The most common identity-related attacks are broad-based phishing campaigns, spear phishing campaigns, and credential stuffing.

In phishing campaigns, an attacker compiles a list of emails, designs a generic message believable to an intended group, and contacts many potential victims. Even the hacking of one account can sometimes compromise an entire organization. Spear phishing campaigns are similar but far better targeted. A hacker, for example, may be impersonating a manager. The employee may be happy to respond to their “supervisor” and enter credentials to perform the requested action, thereby empowering the attacker to execute an attack.

Credential stuffing is the automated injection of stolen username and password pairs, capitalizing on the common reuse of user passwords across platforms. These attacks can be automated and carried out at scale.

Cybercriminals typically capitalize on human vulnerability through phishing and social engineering attacks, and some of them are employees who compromise corporate data. In the latter case, this becomes an authorization issue—one that better authentication and authorization can often mitigate.

In the big picture, it’s important to note that while identity security is an important component within security architecture, it’s just one element within a broader security platform. To ensure maximum protection, organizations must also embrace endpoint security, IT security, and cloud workload protection. The overall security solution should also integrate existing Identity and Access Management (IAM) tools—a technological framework enabling organizations to manage digital identities and control user access to critical corporate information—and, if it exists, zero trust architecture.

Here are some other tips to help mitigate identity theft:

+ Stop fraud before it even happens. Employ good internal controls and security practices to safeguard your organization from identity theft and other cyberattacks.

+ Train employees to follow cybersecurity basics, such as avoiding weak passwords. Organizations should schedule ongoing security training and phishing simulation exercises. The goal is to develop healthy skepticism.

+ Use an identity-centric approach to security. Instead of building a perimeter around corporate resources, build one around identities by implementing technologies such as privileged access management.

+ Think twice about relying solely on cybersecurity alerts regarding a possible attack. Encourage employees to self-assess a potential attack and proactively raise any suspicions.

Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital


access control identity management & governance identity theft security awareness fraud controls security architecture

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs