Online Identity Theft and Fraudulent Reuse Is the Single Biggest Problem in Cybersecurity


Posted on by Robert Ackerman

There is more than one Achilles heel in the world of cybersecurity. But if pressed to cite the biggest one of all, the answer is easy: identity. Year after year, cyber pros increasingly say it’s the weakest link in Internet security. And that’s because the methods that dictate the fundamental foundation of organizational cybersecurity, while under pressure to change with the times, are doing just this but largely remain a work in progress.

Numbers underscore much of this situation. The Identity Theft Resource Center (ITRC), a non-profit organization that works to minimize identity risk, recently reported that 1,291 organization breaches—which typically steal identity data—occurred in the first three quarters of 2021, a 17 percent increase over the same period in 2020. ITRC has said full-year 2021 breach numbers are likely to set a new record.

Predictably, this is costing victims a lot of money. According to a 2021 Identity Fraud Study by Javelin Strategy & Research, Americans lost $56 billion to online fraud in 2020, the latest data available. A good piece of that came from the theft of personally identifiable information. But even more, curiously, it was attributed to scams in which criminals interacted directly with consumers to steal their information through the likes of phishing emails.

Remote workers, who open the door to online identity theft largely because of casual security habits, aren’t the only reason behind soaring identity theft numbers.

Internet of Things (IoT) sensors are increasingly common, and their mission to target Internet access is problematic because they have weak security. In addition, things have changed in the manufacturing workforce. In the past, select employees mostly accessed the company’s systems from their computers at work. Today, these employees log on from their smartphones, tablets, and laptops when working from home. The more devices tapping into the Internet, the greater the odds that some will be compromised.

The greatest threat to data security is really not hackers but rather employees. It is employees who are close to organizational data and have access by nature of their assignments.

Surveys by companies, such as information security service Shred-it, Kaspersky Lab, and B2B International, have reported that up to half of business leaders say that human error caused a data breach at their organization. Today, more than ever, remote employees and their data are basically everywhere and, more often than not, available for the taking.

As businesses increasingly move mission-critical operations to the cloud, it has become clear that more and better cybersecurity has become critical. Old-school thinking that identity is just one more layer in a security model in which hackers attack the perimeter to get to their targets is rapidly becoming obsolete. It suggests that security perimeters are still effective in a cloud-native world, and they are not.

For true security in the cloud, identity needs to move to the very core of a company’s cybersecurity infrastructure because only identity can serve as the primary control for security. What counts is confirming that the users in your system actually are who they say they are, based on authentication standards—a measure that substantially reduces the risk of a breach.

So just what is needed to make this evolving scenario a widespread reality? More companies and other organizations need to aggressively embrace identity and access management (IAM) and single sign-on (SSO) solutions.

IAM is about defining and managing the roles and access privileges of individual users and their devices to cloud and on-premise applications. The objective is one digital identity per individual or item. Once established, it must be maintained, modified, and monitored.

Things have been changing in the IAM world. As more and more companies come to the conclusion that a strong username and password is insufficient if not outright obsolete, multi-factor authentication is being added in IAM products. Some of the most forward-thinking companies are going further and experimenting with a passwordless authentication system, which swaps the use of a password with a fingerprint or other biometric tools or a secret token delivered via email. IAM products are also embracing machine learning and artificial intelligence.

SSO, which is all about simplicity, is a centralized session and user authentication service in which one set of login credentials can be used to access multiple applications. Once it authenticates users, they are able to access myriad websites and services without having to log in and out each time.

SSO, like IAM, is not new, but its importance is often overlooked. Fact is, with many enterprises increasingly moving to the cloud and relying more and more on third-party services, seamless access to multiple applications from anywhere and on any device is becoming essential for maintaining efficiency. SSO still has its challenges, sometimes including security issues, but they are being regularly addressed.

There are other methods to enhance identity security. One is Zero Trust, whereby nobody is trusted in the network, even if they have cleared the perimeter. Users must verify their identity every time they try and move around the network. Also worthwhile and much easier to implement is a heightened investment in off-boarding processes, which, unlike onboarding processes, don’t get the attention they should.

For now, the adoption of IAM appears to be most in vogue. Its importance should continue to grow as IT environments become more hybrid, distributed, and dynamic. This would be a good thing.

Contributors
Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Identity

access control identity management & governance zero trust SSO authentication

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs