In today’s connected world, every user and entity has a unique digital identity that is based upon their online presence. This may include social media activity, healthcare and financial records, demographics, login credentials, web history, and more. Similarly to any physical form of identification, digital identities must be protected at all costs in order to prevent identity theft or fraud.
Unfortunately, the massive influx of data on the web has made this increasingly difficult, and the acceleration of digital transformation efforts this past year also introduced new opportunities for sophisticated threat actors. As technology continues to advance, securing sensitive data must be a top priority for organisations.
Passwords Are a Continuous Risk
Early last year, Marriott, the largest hotel chain in the world, suffered a data breach after a threat actor hacked into two employee accounts and accessed the personally identifiable information (PII) of 5.2 million hotel guests. This data breach stands amongst countless other security incidents that were a result of account compromise. In fact, more than 80% of hacking-related breaches are tied to misplaced or stolen credentials. Enforcing regular password resets may seem like the ideal solution to the problem, but this would only serve as a temporary fix as users would likely use their new passwords across other accounts.
Password reuse has become a common malpractice as memorising numerous, complex passwords is both difficult and inconvenient. Stronger authentication controls can help organisations keep sensitive data secure and therefore maintain compliance with increasing regulations.
Data Privacy Regulations Are Here to Stay
Every business carries a responsibility to its customers to protect their data, whether it’s to gain their trust or to remain compliant with regulations. Some privacy laws like the European Union’s General Data Protection Regulation (GDPR) and the Singapore Personal Data Protection Act (PDPA) have been in place for some time now.
Globally there has also been recent discourses about a tightening privacy laws in a growing number of countries on the misuse of consumer data. India and Indonesia are currently reviewing their privacy frameworks to consolidate several laws and regulations into single, comprehensive privacy laws. Thailand has recently passed a new data protection and privacy legislation that is a significant improvement on the current law.
The implementation and discussion of new laws highlights the ongoing data privacy dilemma. Enterprises that fail to comply with these regulations can face steep fines and could even risk losing their businesses forever.
Best Practices
To keep up with the evolving security landscape, consumers and businesses must work together to ensure that corporate and personal data remains secure. Passwords, no matter the size, complexity, or uniqueness, will always pose a risk. Companies must rethink their cybersecurity strategies to efficiently mitigate threats and stay in line with data privacy regulations, while streamlining the entire login process. Here are some identity and access management (IAM) tips to ensure employee and customer identities are properly verified.
- Enable Multi-Factor Authentication (MFA) and Single Sign-On (SSO)
- Memorising dozens of long passwords is an impractical ask. Fortunately, solutions exist today that can reduce the risk of account compromise while enabling a seamless login experience for users. MFA enables an added layer of security; for example, through an SMS token sent via text message or through a third-party app like Google Authenticator. Without a second form of authentication, the user will not be verified and won’t be granted access to the account. Through SSO, users can access a variety of independent cloud resources by logging into a single portal.
- Know Your Users
- To confirm if a user is truly who they claim to be online, it’s critical that organisations continuously monitor their employees’ network activity and behaviour to detect any abnormalities. For instance, if an employee signs in at 9 a.m. every Monday through Friday from their home IP address, but suddenly logs in at 10 p.m. on a Saturday night from a different location, this behaviour would be deemed suspicious. Through context-based, step-up authentication, organisations can confirm users’ identities as needed depending on their locations, devices, and day-to-day activities. This will also give companies greater security for data access no matter where it occurs.
- Stay Informed
- Even with all of the right solutions in place, a security strategy is incomplete without educational resources. Companies must enforce cybersecurity training programs for all employees to inform them about rising threats, as well as teach them how to effectively manage their data and safeguard their digital identities (as well as those of their customers, by extension).
With the above considerations in mind, organisations can proactively defend against unauthorised access and protect all sensitive data stored across their modern IT ecosystems. Beyond company policies, consumers must take it upon themselves to stay up to date on the latest identity management trends and cyber risks. Now that our daily lives revolve around the internet, identity management awareness has never been more critical.
Jonathan Andresen is Senior Director, Marketing & Products, Asia-Pacific & Japan at Bitglass
.jpg&h=271&w=480&c=1&s=1)
