The first step in fixing any IAM problem is to understand it.
IAM is the information technology security framework of policies that ensures the right users have the appropriate access to the resources they need to do their jobs well. It requires managing the lifecycle and roadmap of your users’ identities, governing their access, and properly monitoring the use of their identities and credentials through identity analytics.
Effective IAM ensures proper controls are in place to control the ability of users to interact with critical systems for which they require “privileged” access, the basis of privileged access management (PAM).
But this isn’t the only way threat actors find security gaps, which is why businesses must avoid the most common identity and access management (IAM) mistakes.
The most common IAM mistakes:
- Poor or partial IAM implementations
- No clear IAM governance results
- No executive leadership team “buy-in” or clear guidance for employees.
- A lack of skilled cybersecurity experts as IAM engineers, architects, and managers.
- Multiple systems of record with duplicate identity credentials.
- Political infighting over data and application ownership or responsibility.
- A lack of organizational change management processes to resolve issues and stay ahead of hackers’ latest tactics.
- A fear of automation, causing a reliance on risky, time-consuming manual processes.
- Uncleaned data lifted and shifted into new IAM systems.
- Unrealistic IAM roll-out approaches that aren’t effective.
And above all, identity security should never rely on the CISO or CIO to manage and communicate. All business leaders must share the same strategic vision around IAM and drive it within the organization to succeed, including the CEO, CFO, and COO.
Don’t wait until it’s too late to fix the problems in your IAM strategy, and get ahead of the curve by fixing the easy mistakes you’re making today.
Shall we talk?
Image: Kris in Pixabay
Automated Threats in the retail sector
According to the most recent studies, 62% of the threats that retail organizations faced were automated, and that suggests an increasing threat level that corporations need to be aware of.
Online retailers have seen a tenfold increase in the proportion of attacks that were conducted through frameworks designed to preserve anonymity. Last year the proportion was just 3.5%, but this year it jumped to just under 33% with all things having been considered and taken into account.
In the past 12 months, nearly 40% of traffic hitting the average ecommerce website was not generated by humans, but instead came from often-malicious bots running automated tasks. Nearly a quarter of traffic – 23.7% – was attributable to advanced bots using cutting-edge evasion techniques to mimic human behaviour and avoid detection.
Last year, bot-related attacks grew by 10% during October and another 34% in November, providing clear evidence that the actors behind such automated bot networks are keenly aware of the value of the holiday period to retailers. Indeed, one variety of automated bot has become known as a Grinch Bot – scooping up inventory that is in high-demand and hoarding it, making it harder for legitimate consumers to purchase gifts online.
Other malicious bots are engaged in account takeover (ATO) activities, with over 64% of ATO attacks using some kind of bot in 2021. The attackers behind these bots are generally using leaked customer details in credential stuffing attacks, and in an indication of the volume of their activity, Imperva found 22.6% of all login attempts on retail websites are malicious.
With limited staffing and conflicting priorities, retailers are challenged in combating security threats. In principle, responsibility for IT security cannot be delegated, but many retailers still delegate key security activities to auditors, contractors and stores. Finally, many retailers lack a governance process and focus instead on regulatory compliance at the expense of a framework that governs information.
Shall we talk?
Cyber-Attacks Set To Become “Uninsurable”
This is the stark assessment from Mario Greco, chief executive at insurer Zurich, one of Europe’s biggest insurance companies, speaking to the Financial Times.
Amid growing concern among industry executives about large-scale cyber-attacks, Greco warned that cyber-attacks, rather than natural catastrophes, will become “uninsurable”. For the second year in a row, natural catastrophe-related claims are expected to top $100bn, the FT reported.
Cyber-attacks have continued to plague multiple industries in recent years, some of whom are doing little to prevent future attacks, when they opt to pay hackers and criminal gangs (against all security professional advice) to unlock their ransomware crippled systems or call off DDoS attacks.
Zurich’s Mario Greco praised the US government’s steps to discourage ransom payments. “If you curb the payment of ransoms, there will be fewer attacks,” he told the Financial Times.
In September 2022, Lloyd’s of London defended a move to limit systemic risk from cyber attacks by requesting that insurance policies written in the market have an exemption for state-backed attacks. A senior Lloyd’s executive said the move was «responsible» and preferable to waiting until «after everything has gone wrong».
Identifying those responsible for an attack is challenging, making such exemptions legally fraught, and cyber experts have warned that rising prices and bigger exceptions could put off people buying any protection.
There was a limit to how much the private sector can absorb, in terms of underwriting all the losses coming from cyber attacks, Greco said. He called on governments to «set up private-public schemes to handle systemic cyber risks that can’t be quantified, similar to those that exist in some jurisdictions for earthquakes or terror attacks».
These are the data:
- According to Security Magazine, there are over 2200 attacks each day which breaks down to nearly 1 cyberattack every 39 seconds
- With around 2,220 cyberattacks each day, that equates to over 800,000 attacks each year.
- According to Cybint, nearly 95% of all digital breaches come from human error.
Cyber security experts share their prediction for the most impactful threat vectors and cyber risks of 2023, so when they were asked in mid-2022 by Cyber Security Hub which threat vectors posed the most dangerous threat to their organizations on 2023, 75% of cyber security professionals said social engineering and phishing.
Since the survey closed, multiple organizations such as Dropbox, Revolut, Twilio, Uber, LastPass and Marriott International have suffered from such attacks further highlighting the importance to cyber security practitioners of staying aware of phishing threat.
Privileged account management is the IT security process of using policy-based software and strategies to control who can access sensitive systems and information. Privileged accounts rely on credentials (passwords, keys, and secrets) to control access. By creating, storing, and managing these credentials in a secure vault, privileged account management controls authorized access of a user, process, or computer to protected resources across an IT environment.
Shall we talk?
Imagen Arthur Bowers in Pixabay
Transforming risk into a strategic advantage
The need for a conscious, holistic approach to governance, risk, and compliance (GRC) has never been more critical to organizations. As the business environment changes, companies need to evolve their GRC strategies to maintain a comprehensive view of interconnected risks, understand the financial implications of those risks, and make more informed decisions at all levels.
How to take a proactive approach to transform risk into a strategic advantage:
- As your business prepares for inflation, economic uncertainty, and the global risk of stagflation, you must build resiliency to recover from obstacles with minimal business impact. Resiliency has gained importance in recent years. It integrates with enterprise-wide risk management and works across the organization, providing a comprehensive view of what’s at stake. Agility and resilience complement each other.
- Technology leaders, like CIOs, now at the center of corporate decisions, are becoming critical decision-makers in core business functions such as marketing, sales, product development, and finance.
- To build and maintain customer trust in third-party vendors, you need a proactive approach to third-party risk management. Amid escalating economic uncertainty, you need to look closely at third-party companies as businesses – which vendors are mission-critical and which ones you can eliminate with minimal negative impact. Most companies conduct some due diligence, but many don’t monitor third-party risks beyond an annual checklist. By then, information could be outdated, vendors noncompliant, and your business at risk. With the right tools and clear communication, your business can manage vendor risks to protect yourself and your customers.
- More than 80% of consumers believe companies should actively shape ESG guidelines, and almost all (91%) business leaders believe their organization is responsible for acting on ESG issues. Additionally, 86% of employees want to work for businesses that share their values.
- A resilient organization requires flexible and adaptable structures in all operational areas. While hybrid work offers employees flexibility, it also increases operational risk.
Risk management is everyone’s responsibility. Cultivating a culture of resiliency and taking control of third-party relationships will improve your risk attitude. Risk becomes a strategic advantage when you empower your CIO as a changemaker and commit to robust ESG monitoring and reporting practices.
Cybersecurity Law Code
There is a European Directive, Directive 2016/1148, regarding the measures aimed at guaranteeing a high common level of security in the networks and information systems of the Union. This Directive has a couple of articles related to the security of networks and information systems for essential service operators and digital service providers.
Thus, Article 14 establishes that “Member States shall ensure that operators of essential services take adequate and proportionate technical and organizational measures to manage the risks that arise for the security of networks and information systems” used in their operations. Given the situation, these measures will guarantee a level of security of the networks and information systems that is adequate in relation to the risk posed.”
In other words, the Member States will ensure that the measures that are proportionate or appropriate to the risk posed are complied with. And also so that measures are adopted in order to minimize, reduce or prevent incidents that affect security.
Likewise, the competent authority or the CSIRT (acronym for Computer Security Incident Response Teams) must also be notified without undue delay of incidents that will have significant effects on the continuity of essential services provided so that they can be taken. Institutional or national measures in this regard, where appropriate.
In addition, in June 2019 the EU Cybersecurity Regulation entered into force, and introduced:
- A certification system for the whole EU,
- A new and strengthened mandate for the EU Agency for Cybersecurity.
Thanks to it, the EU has put in place a single EU-wide certification framework that will build trust, increase the growth of the cybersecurity market, and facilitate trade across the EU.
In Spain we have a Cybersecurity Law Code, published in the Official State Gazette, which cites the main rules to be taken into account in relation to the protection of cyberspace and ensuring the aforementioned cybersecurity.
Regarding cybersecurity at a technical and organizational level, it is also necessary to take into account the new European Data Protection Regulation – Regulation (EU) 2016/679; as well as the existence of other types of international protocols or rules, especially those related to the international transfer of data, such as the Privacy Shield.
These are just some of the rules that aim to protect cyberspace, but there are many more detailed ones that regulate even more specific aspects.
Therefore, cybersecurity covers many subjects related to criminal and civil law, and the protection of honor or privacy, among others, that are also applied in the real and physical world. What has to be taken into account is the online dimension in which these illicit or illegal actions are produced, and the resulting impact due to the fact of occurring in the digital world.
Also, on on 15 September 2022 The European Commission published a proposal for a Cyber Resilience Act (the ‘Regulation’), which aims to:
- ensure that cyber security is considered during the development of hardware and software products and is continuously improved throughout that product’s life cycle; and
- improve transparency so that users can take cybersecurity into account when selecting and using a product with digital elements.
The Regulation will impact a broad range of parties in the technology supply chain, who should consider how the additional cyber-security requirements will impact their manufacturing and distribution processes. Whilst the majority of the obligations will come into effect 24 months after entry into force, manufacturers will only have twelve months to comply with the Act’s reporting obligations.