In this year´s ForgeRock Consumer Identity Report [1], Eve Mahler, CTO of ForgeRock, discusses the rapidly growing number of identity breaches in healthcare and financial services, and gives recommendations on how to prevent them. Here is my quick tl;dr summary:
Worldwide Increase in Breaches
Even during Covid-19, malicious actors remained as active as ever: Most notably, attacks involving usernames and passwords increased by a staggering 450% over 2019, translating into more than 1 billion compromised records in the U.S. alone.
A closer look at vertical segments reveals that healthcare providers were the biggest target by a large margin: The healthcare industry accounted for 34% of all breaches, followed by financial services with 12%. Seeing those two verticals at the top of the standings should not come as a surprise, as they handle the most sensitive and valuable personal data.
Attacks by Type and Region
When looking at the prevalent attack types, unauthorized access was the most reported type of breach (43%) for the third year in a row. Another distinct, yet not surprising trend during Covid-19 was a significant increase in attacks on remote workers, especially by phishing attacks to gain access to user credentials (25%, up from 14% in 2019).
Third on the list, ransomware attacks remain as dangerous as ever. ForgeRock reports an overall increase to 17% (up from 10% in 2019) which doesn’t sound too drastic at first. But once you break down the regional and vertical numbers, you can see that e.g., financial services in UK reported a dramatic increase by 471% over 2019.
Equally alarming numbers come from Germany’s critical infrastructure providers: ForgeRock documented a grand total of 419 reported data breaches at critical infrastructures, a 67% increase over 2019. This is exacerbated by the fact that a significant portion of breaches is only discovered after several months, when attackers had plenty of time to explore the network laterally and increase their damage potential.
Three Things You Must Do – Stop, Drop, Clean-up
Based on these numbers, ForgeRock gives valuable actionable recommendations on how to reduce the breach threat: First of all, users need to stop using static passwords, as these are the ultimate attack vector. As a second task, organizations need to drop into their users’ experience and determine the most convenient and secure password less authorization method. And finally, they should clean-up user roles and reduce them to the most necessary.
The Biggest Takeaway: Zero Trust is a Necessity
Seeing that attacks can come from anywhere, organizations must be able to verify the identity of each employee, customer, or system on the network at any time. They need to combine modern hybrid IAM (Identity and Access Management) solutions with a Zero Trust strategy to sustainably limit access and protect data and resources. Strong authentication and authorization prevent attackers from gaining higher privileges and stop them from moving laterally through a network.
Another important takeaway is that no company is too small to be a valuable target, and therefore, even smaller organizations should do all they can to improve their security posture, including using password less techniques and other Zero Trust-friendly measures.
The tl;dr-series for IAM
With the tl;dr-series for IAM (too long; didn’t read) I try to summarize important and interesting articles that came across my reading list. Feel free to reach out with feedback and recommendations of articles that matter.