It's only fall and 2017 is already shaping up to be yet another record-breaking year for data breach statistics. In fact, according to the stats collected by the Breach Level Index, the number of records stolen surpassed the total for all of last year by the time we reached the halfway mark of this year. The breach headlines over the past month only serve to punctuate these dismal numbers: High impact compromises at Equifax, the Securities and Exchange Commmision, and Deloitte prove that even those organizations with considerable investments in cybersecurity are not immune to successful attacks.
The obvious question is 'Why?' Why are attackers still managing to compromise data and systems with seeming ease? There are lots of answers to that question. But top among them is the fact that most organizations today still operate under the fiction that cybersecurity primarily equates to network security.
Here's the reality. All those walls we've spent building up around the network are largely irrelevant today. Today's enterprises must safeguard a growing body of data, accessed by an increasing number of users from a mushrooming number of applications and devices. Enterprises have less control than ever over the networks users work off of, the devices they use to conduct business, and sometimes even over the infrastructure used to store that data.
And yet the security industry continues to bang its heads against the wall. It overinvests in perimeter technology and keeps doing things the way it always has, even though the safeguards they've invested in at the network layer are lost when users work off the network, when they rely heavily on insecure cloud storage, or when they're accessing secure data via insecure devices.
The fact is that edge-based solutions such as those at the identity layer have become one of the only consistent control points left in this perimeter-less world. And yet, according to recent figures, fewer than half of today's organizations invest in identity management of any kind.
Hackers know it, too. Credential harvesting and credential stuffing attacks are becoming some of the most standard and fruitful tactics for today's threat actors. One recent study shows that automated credential stuffing attempts make up more than 90% of all login activity on Internet-facing systems at Fortune 100 firms. And according to the Verizon Data Breach Investigation Report (DBIR) this year, 81% of today's breaches involve either stolen or weak passwords.
If organizations are going to meet these threats head on and start making a difference in 2018 breach numbers, they need to recognize that legacy approaches to defense don't make as much sense in today's threat landscape. This means stepping up their game with regard to identity and account-level controls. This means putting the people, process and technology in place to bolster authentication across the infrastructure, whether on-prem or in the cloud, so that weak passwords are no longer an Achilles heel. It means instituting controls to ensure user entitlements match their roles and that privileged accounts can't cause compromises across vast swaths of cloud accounts. And it means putting in the identity-based controls and visibility that give IT the ability to know who accesses what and when, and are alerted when risky behavior is exhibited.
Ultimately the real prevention mechanisms for modern breaches comes down to the user level. Until organizations recognize that fact, theywe'll keep seeing the same breach stories with different names on them hitting the headlines.