The COVID-19 pandemic has accelerated digital transformation efforts across businesses by three years. As a result, people are spending more time online than ever before. This shift has led to a massive influx of valuable data on the web that has become increasingly difficult to manage and track. Many organizations aren’t equipped with adequate security to prevent data theft and fraud, and most consumers lack the awareness that would help them safeguard their own digital identity. Threat actors have taken advantage of this cybersecurity gap, leveraging more sophisticated methods to steal personal information for profit or for their own malicious gain. With technology rapidly advancing, protecting sensitive data must be top of mind for both businesses and consumers.
Passwords are an ongoing threat
Passwords have proven to be a continuous cyber risk time and time again, with 61% of data breaches resulting from compromised usernames and passwords. It is also estimated that businesses will pay approximately $5 trillion by 2024 due to hacking incidents caused by stolen employee credentials. Despite these high numbers, companies have yet to move away from passwords as a method of user verification. Instead, they demand their customers and employees use hard-to-guess passwords and enforce habitual password changes. Many people often resort to reusing the same passwords out of convenience, as memorizing countless unique and complicated passwords is challenging and cumbersome. As such, organizations must implement stronger authentication controls in order to mitigate the risk of account compromise and adhere to data privacy regulations.
Data privacy is a growing concern
Any organization responsible for collecting, transferring, and storing customer data must understand the gravity of misplacing or losing that information. While this is crucial for gaining and maintaining customer trust, it has also become a legal matter with data protection laws. Some regulations have already been enforced for a few years now, such as the General Data Protection Regulation (GDPR) in Europe, while many others were just recently enacted, like the Virginia Consumer Data Privacy Act (VCDPA). A nationwide privacy law in the U.S. is also currently in discussion, and if passed, would ensure every organization in the country pays the price for misusing consumer data.
Unfortunately, failure to comply with these laws can result in severe consequences, from losing customer trust to costly fines. Large, well-known corporations have already faced hefty penalties for noncompliance with data privacy regulations. Last year, British Airways faced a penalty of $26 million for poor security practices that resulted in data theft of over 400,000 customer records. Additionally, Marriott’s data breach that compromised the personally identifiable information (PII) of 339 million guests around the world cost the company $23.8 million for lack of appropriate security measures placed within their organization. Emerging data privacy regulations around the world highlight the pressing need to protect customers’ digital identities and their sensitive data.
Identity management considerations for protecting data
As the threat landscape evolves, both businesses and their customers must come together to ensure corporate and personal data is protected at all costs. This begins with shifting away from passwords, as they are a weak link to an organization and will continuously pose a threat. Companies must be more vigilant with their security approach and adopt technologies that streamline their users’ login experience, while mitigating risks of unauthorized access. The following identity and access management (IAM) best practices will help to protect sensitive data:
Monitor user behavior and activity
To confirm users’ identities and detect potential intrusions, organizations must regularly monitor their network behavior and activity. User and entity behavior analytics (UEBA) can help companies automatically detect potential intrusions, unusual activity, or any anomalies within their multi-cloud infrastructure. Once an abnormality is identified, system responses may include sending an alert after a new device login is identified or locking a user out entirely after several failed login attempts within a short time span. Additionally, context-based, step-up authentication enables users to confirm they are who they claim to be based on their precise location, device, and normal online activities.
Verify user identity with authentication solutions
Keeping track of countless unique and complex passwords is inconvenient and inefficient. Instead, companies should enable tools like multi-factor authentication (MFA) or single sign on (SSO) that facilitate a secure login process. MFA confirms user identity and detects suspicious logins by providing an additional security step. This may include an SMS token sent via email or through a third-party tool such as Google Authenticator. Through SSO, users log in from a single portal and are granted access to a variety of different cloud applications. With these solutions in place, organizations can guarantee that all employees and customers are authenticated prior to accessing the account. Additionally, they establish limits for who is authorized to access certain information.
Identity management education and awareness
While adopting security technologies is critical to any organizations’ security protocol, accessible educational resources are also imperative. Companies must implement mandatory cybersecurity training for their employees that teach them the importance of protecting their PII and how to control what data they choose to share, as well as security risks they may face on a daily basis. Aside from company policies, consumers must always be wary of suspicious emails, texts, links, etc. that may result in data exposure or theft of corporate or personal data.
With a strong IAM strategy that involves knowing your users, secure technologies to verify their identities, and cybersecurity education, companies can confidently assure they are taking the necessary steps to safeguard all sensitive data within their modern IT infrastructure. Consumers must also take responsibility for protecting their own digital identities by keeping up with recent identity management trends and cyber risks. Additionally, selecting an alternative method of login other than a password when available, such as MFA or Face ID scans, can go a long way. Privacy protection is a collaborative process between businesses and their customers, and therefore it’s critical that they follow the above best practices to avoid the consequences that arise after a data breach.