Security Experts:

People the New Perimeter as Hackers Target Users to Infiltrate Enterprises

Identity Governance is Key to Improving Security and Compliance

Getting breached is becoming part of doing business. More than half of respondents to a Market Pulse Survey reported that they had suffered two or more breaches during 2016; and 60% expect to be breached in 2017. The average material cost of each breach now stands at more than $4 million.

Identity firm SailPoint commissioned Vanson Bourne to interview 600 senior IT decision-makers at organizations with at least 1,000 employees across Australia, France, Germany, Italy, the United Kingdom and the United States. The key finding is that a lack of visibility into staff actions and access capabilities remains a major problem.

SailPoint was founded in 2005. In 2014, private equity firm Thoma Bravo took a sizeable stake in the company -- thought to be in excess of 'several hundred million'. In February 2017, the Wall Street Journal suggested that SailPoint is currently "laying the groundwork for a possible IPO filing later this year."

While the majority of respondents to the Market Pulse Survey claim to have at least partial visibility into users' access to corporate systems and applications, less than half have full visibility.

Complicating factors continue to be cloud (shadow IT) and mobility (BYOD). Ninety percent of respondents admitted that at least some of their employees procure and use applications without IT or Security oversight or approval. Coupled with the growing use of personal mobile devices, many organizations struggle to know where and by whom their data is being used.

Seventy percent of organizations have embraced BYOD; but less than half have a formal policy around its use for corporate data. The result is a lack of visibility into the whereabouts and indeed content of unstructured data. This exacerbates industry's two biggest problems: hackers' exploitation of identity to effect, maintain and expand their incursions; and compliance.

People are the new perimeter, suggests SailPoint. "But even as it's widespread knowledge that hackers are targeting users as their doorway into the enterprise, employees aren't helping matters with continued poor password hygiene. 37% of respondents," explains the report, "cited password hygiene as a big factor into their organization's overall risk profile -- with employees either sharing passwords across multiple accounts and systems, not regularly updating or changing their password or not adhering to overall password management policies."

Compliance issues are also growing. The European General Data Protection Regulation (GDPR) requires that companies don't simply protect European PII, but know precisely where it is located. The latter is necessary because GDPR gives EU citizens the right to have their PII removed from organizations' systems -- and that cannot be achieved if the organization doesn't know where it is located (for example, in unstructured data located on staff mobile devices or in shadow IT cloud storage systems).

The survey shows that this concern is particularly strong in Europe, even though the Regulation will apply to any business anywhere in the world that does business with the EU. "Specific to European respondents," notes the report, "compliance bubbled to the top for some regions as a key goal and driver behind identity governance programs." Nearly threequarters (73%) of UK respondents, and nearly half of German (42%) and French (49%) respondents cited compliance as a reason for improving identity governance.

"There is a silver lining to our report," commented Kevin Cunningham, SailPoint's president and co-founder. "It's clear that now more than ever before, organizations better understand what -- and where -- their risks are, and that identity management can help address those risks. Identity provides that ability to put the detective and preventive controls in place to address all of these exposure points, while automating many identity-related processes to ensure that only the right people have the right access to applications and data at the right time. 

He continued, "By putting identity at the center of security and IT operations, these organizations can move their IT teams out of full-time firefighting mode, freeing them up to focus on enabling the business to move forward, confidently and securely."

According to the survey, identity governance is recognized by 97% of respondents as a key solution to these problems; and 55% cite identity as a top security investment priority for 2017. Other benefits are considered to be enhanced security (72% of respondents), a more automated and efficient organization (71%), and business enablement (65%).

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.