With the exponential growth in the number of human and machine actors on the network and more sophisticated technology in more places, identity in this new era is rapidly becoming a super-human problem, according to RSA. Paradoxically, even in this world where AI can dynamically assess risks and automate responses to threats, humans will have an even more important and strategic role in cybersecurity and identity security.
A recent report found significant gaps in respondents’ knowledge concerning critical identity vulnerabilities, best practices for securing identity, and how to develop stronger identity security. For instance, 63% of respondents could not accurately identify the identity components needed to move organizations toward zero trust. Likewise, 64% of respondents did not select the best practice technologies for reducing phishing. 55% did not understand the full scope of identity capabilities that can improve an organization’s security posture.
These findings align with third-party research indicating that identity is the most frequent cause of data breaches: the Verizon’s report found that the use of “stolen credentials became the most popular entry point for breaches” over the past five years.
“The RSA’s report reveals why identity is one of the most susceptible ways for cybercriminals to breach an organization—users simply don’t understand identity’s full cybersecurity role, the risks that identity poses, or the ways to use identity to build safer organizations,” said RSA CEO Rohit Ghai. “The gaps in users’ identity knowledge give cybercriminals openings to exploit.”
Among self-described IAM experts, 65% did not accurately select best practices to reduce phishing and 42% underestimated the frequency with which users recycle their passwords. “Growing numbers of users, devices, entitlements, and environments are overburdening IAM specialists—they just can’t keep up,” said RSA CPO Jim Taylor. “Identity plays critical roles across organizations, and for organizations to stay secure and compliant, identity needs to excel in each of those roles. The RSA’s report results reveal why organizations need to invest in unified identity solutions and integrate artificial intelligence to help their personnel keep up with the pace of change.”
64% of respondents put more trust in technical innovations like a computer or password manager with securing their information than their partner, closest friend, or financial advisor. Respondents felt even stronger about artificial intelligence’s potential to improve identity security: 91% of respondents believed that AI can detect suspicious authorizations and access attempts, identify irregularities in entitlements, and recognize vulnerabilities on mobile devices.
72% of respondents believed that people frequently use personal devices to access professional resources. 97% cybersecurity experts felt that users opened more emails on their phones than on desktops, had more difficulty scrutinizing those emails on mobile devices, used personal devices to access professional resources, and/or that unmanaged devices don’t have the same security capabilities as managed devices.
Each of those factors could catalyze identity compromise—together, they represent a perfect storm of risks. These responses align with Zimperium’s report, which found that the average user is 6-10 times more likely to fall for an SMS phishing attack than an email-based attachment.
Nearly three-quarters of all respondents either didn’t know or significantly under-valued the cost of a password reset, including nearly half of all self-described IAM experts. With each password reset costing upwards of $70, resets can account for nearly half of all IT help desk costs. The fact that 73% of respondents can’t accurately price this expense or understand its impact on their IT counterparts could lead to run-away costs, underscoring the value of using one identity solution for both authentication and access.
The report also revealed how inadequate identity governance and administration hurts organizational productivity. 30% of all respondents reported that they were prevented from accessing the systems needed to do their work at least once a week.
