Since 2018, the average number of incidents involving employee or contractor negligence has increased from 13.2 to 14.5 per organization. The average number of credential theft incidents has almost tripled over the past two years, from 1.0 to 2.7 per organization.
The cost of an insider breach in 2020 was reported to be approximately $307,000. Privileged account compromise can cost a whopping $2.79 million. These numbers demand a close eye on insider threats, along with potential solutions.
What is causing all these incidents? And why do these numbers need immediate attention?
It is not a lack of security measures at the gate. Most businesses are savvy enough to enforce stringent checks on all employees when they clock-in every morning. Nor is it a network firewall issue. It is not even the prowess of hackers brute forcing their way in but a severe lack of identity-level security.
What is identity-level security? Your organization’s employees have identities in the form of roles within your systems and applications which have certain access rights. Each person is given access to various apps and files, all based on what they need for their work. In addition, there are privileged accounts, which have access to sensitive information and the ability to modify apps and systems. These typically belong to no specific employee, but credentials are given for temporary access based on requirements.
Since identities are what access files, apps, and systems, the best line of defense from insider threats is to secure those identities. There are numerous tools available in Identity and Access Management to do this.
Single Sign-on (SSO)
Your employees have tens of passwords to remember. Each app, their windows login, etc., all require a unique password to sign in and admins can have hundreds of passwords to sign-on to all the different apps your organization uses. To cope, employees typically write down passwords on paper or store them in computer documents. This is a massive security issue. If the machine is compromised, or if the notepad is lost, all those passwords are available to malicious beneficiaries to utilize for their own gains.
Single Sign-on eliminates the need to remember multiple passwords. It allows users to access all their apps and systems with a single password. A good SSO solution also offers password synchronization with your Active Directory. This means that passwords changed in the AD are synced with the SSO solution, and passwords changed elsewhere, like in target apps, are also synced with the AD. This ensures that things are always up to date and that apps can be accessed quickly. Ilantus Compact Identity is a solution that offers such a feature, among other unique and powerful ones. For instance, you can SSO to thick-client apps, a feature unavailable in any other platform in the industry.
Multiple passwords aside, they need to be reset frequently for two reasons. First, your organization’s password policy demands it for security reasons. Second, passwords that are forgotten and lock users out of their accounts need to be reset. So, you need a Password Management product to handle all password update requests. Typically, this is done manually through a helpdesk. But this method is subject to availability and office hours, and typically takes longer than needed in large organizations. Here’s where Ilantus Xpress Password and Ilantus Compact Identity can help with the extremely efficient ‘self-service password reset’ feature.
Two key technologies within Identity Governance that are very relevant to strengthen your security infrastructure are Access Requests & Approvals and Access Recertification.
Access Requests & Approvals
Access Requests & Approvals – This is all about streamlining and securing the entire process of employees gaining access to target apps, as well as revocation of rights at the right time. When employees join an organization, change roles, or are transferred within the same role, they need to be given access to the apps and systems they need in their work. This is a lengthy manual process in typical cases, and the downtime before the employee can be fully productive can be months. Identity Governance, particularly with the technology for ‘self-service access requests’, enables users to request access through the solution. Managers can then approve or deny access.
What you really want in an Access Request & Approval solution is risk assessment. It should offer metrics and suggestions about which access is generally approved or denied for any specific role, which makes managers’ jobs easier. Ilantus Compact Identity sports such a feature.
Compliance with government and industry mandates is essential. There are different rules and regulations like SOX, GDPR, HIPAA that need to be considered when making decisions about security. These mandates are not without reason. Employees having access to systems and apps that they ideally should not have access to or no longer require is a leading cause of insider incidents. Access Recertification allows your organization to run scheduled campaigns to recertify access rights periodically.
It is important to choose a solution that allows you to set a threshold for the kind of access that needs to be recertified, for instance, high risk access only. This saves time for managers but still ensures a high degree of security. You also need a solution that can generate audit ready reports from these campaigns. Ilantus Compact Identity is one solution that offers all this.
Managing access through the lifecycle of employees is no easy task. A role in the organization should, by default, come with the right access required for the job. Here is where birthright provisioning comes into play. You need an Identity Administration solution which enables your employees to be productive from day one. It is essential for performance as well as employee morale. Birthright provisioning automates the creation of accounts and the provision of access to the employee when he/she joins your organization.
When an employee is promoted or transferred, there needs to be automated re-assignment of access rights. Old access rights that are defunct must be revoked, and new access must be provided. Look for an Identity Administration solution like Ilantus Compact Identity that provides such a feature.
And, when employees leave or are terminated, it is a severe security risk for their accounts to still have access to sensitive information. Sometimes accounts can have an identity disconnected but still remain intact for months or years together. These are called orphan accounts and can be used by cybercriminals to wreak havoc undetected, because they belong to no user and yet have privileges. A quality Identity Administration solution such as Ilantus Compact Identity solves all these issues through automation.
Privileged Access Management (PAM)
Privileged accounts pose another threat. The threat surface is smaller, but the potential impact of a breach through such an account is enormous. Privileged accounts have access to very sensitive apps and permissions, such as cashing cheques. They do not belong to any particular employee but are used to give elevated access to individuals in specific roles for a limited time. As such, breaches and misconduct while operating such an account are hard to pinpoint.
Insider threats are a leading cause of data breaches and other enterprise cybercrime. Attackers frequently try to gain access through existing accounts instead of hacking or brute forcing passwords. Because it is much easier to do so.
IAM is the solution which, in myriad ways, protects organizations against insider threats. Ilantus Compact Identity is one of the most comprehensive and economical IAM solutions in the market. In fact, it is the first and only solution to integrate all IAM elements in one solution from a common source code. This enhances stability and ability to integrate. Check out Ilantus products to radically transform your security landscape so that your organization is well equipped to fend off all sorts of security threats.