SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Best practices and key factors for identity management
Fri, 14th May 2021
FYI, this story is more than a year old

There is much to reflect on when considering how companies and consumers can protect their digital identities and ensure that data remains secure. Security elements include password risks, regulatory compliance and identity and access management (IAM) best practices.

Every user and entity in today's connected world has a unique digital identity based upon their online presence. This may include social media activity, healthcare and financial records, demographics, login credentials, web history, and more.

In parallel with any physical form of identification, digital identities must be protected at all costs to prevent identity theft or fraud.

Unfortunately, the massive volumes of data on the web have made this increasingly complex. The acceleration of digital transformation efforts this past year also introduced new opportunities for sophisticated threat actors. As technology continues to advance, securing sensitive data must be a top priority for organisations.

Marriott suffered a data breach early last year after a threat actor hacked into two employee accounts and accessed the personally identifiable information (PII) of 5.2 million hotel guests.

This data breach stands amongst countless other security incidents that resulted from account compromise. In fact, more than 80% of hacking-related breaches are tied to misplaced or stolen credentials.

Enforcing regular password resets might seem like the ideal solution to the problem, but this would serve only as a temporary fix as users would likely use their new passwords across other accounts.

Password reuse has become common malpractice since memorising numerous, complex passwords is both difficult and inconvenient. Stronger authentication controls can help organisations to keep sensitive data secure and maintain compliance with increasing regulations.

For companies like Marriott that collect and store massive volumes of customer information, data security and brand reputation are interrelated. Every business carries a responsibility to its customers to protect their data, whether it is to gain their trust or remain compliant with regulations.

Some privacy laws like the European Union's General Data Protection Regulation (GDPR) and Australian data privacy legislation have been in place for some time now.

There has also been recent discourse about a national privacy law in the United States that would hold all states equally accountable for the misuse of consumer data. The implementation and discussion of new laws highlight the ongoing data privacy dilemma. Enterprises that fail to comply with these regulations can face steep fines and could even risk losing their businesses forever.

Best practices

To keep up with the evolving security landscape, consumers and businesses must work together to ensure that corporate and personal data remains secure. No matter what their size, complexity, or uniqueness might be, passwords will always pose a risk.

Companies must rethink their cybersecurity strategies to mitigate threats efficiently and stay in line with data privacy regulations while streamlining the entire login process. Here are some identity and access management (IAM) tips to ensure employee and customer identities are correctly verified.

1. Enable multi-factor authentication (MFA) and single sign-on (SSO)

Memorising dozens of long passwords is impractical. Fortunately, solutions exist today that can reduce the risk of account compromise while enabling a seamless login experience for users.

MFA enables an added layer of security. For example, through an SMS token sent via text message or through a third-party app like Google Authenticator. Without a second form of authentication, the user will not be verified and won't be granted access to the account. Through SSO, users can access a variety of independent cloud resources by logging into a single portal.

2. Know your users

To confirm that a user is genuinely who they claim to be online, it's critically important for organisations to continuously monitor their employees' network activity and behaviour to detect any abnormalities.

For instance, if an employee signs in at 9 am every Monday through Friday from their home IP address, but suddenly logs in at 10 pm on a Saturday from a different location, this behaviour would be deemed suspicious.

Through context-based, step-up authentication, organisations can confirm users' identities as needed depending on their locations, devices and day-to-day activities. This will also give companies greater security for data access no matter where it occurs.

3. Stay informed

Even with all the right solutions in place, a security strategy is incomplete without educational resources. Companies must enforce cybersecurity training programs for all employees to inform them about rising threats, and also teach them how to manage their data effectively and safeguard their digital identities (as well as those of their customers, by extension).

With all these considerations in mind, organisations can defend proactively against unauthorised access and protect all sensitive data stored across their modern IT ecosystems.

Beyond company policies, consumers must take it upon themselves to stay up-to-date on the latest identity management trends and cyber-risks. Now that our daily lives revolve around the internet, identity management awareness has never been more critical.