IDSA Report: The State of Identity-Related Security in 2020

During the past few months, as the COVID-19 pandemic has spread around the globe, we’ve witnessed a global rise in identity and phishing attacks. But identity-related breaches don’t just happen during a time of crisis; they are prevalent, unfortunately, even in the best of times.

To better understand the identity-related security landscape, the Identity Defined Security Alliance (IDSA), an organization Okta is a board member of, worked with Dimensional Research to create a survey analyzing large companies’ approaches towards security and identities. The survey included 502 participants in the US who are directly responsible for IT security or identity access management at a company with more than 1,000 employees.

Here’s what the survey found:

Identity-related breaches are happening everywhere

Around the world, identity-related breaches have become ubiquitous. These types of attacks have a lot in common, but they can take on many different forms, including:

• Phishing — pretending to be a legitimate person or institution via email, phone or text to trick an individual into sharing sensitive information
• Stolen credentials — illegally gaining access to an organization or individual’s passwords and usernames
• Inadequately managed privileges — unintentionally giving access to sensitive information or resources to individuals who do not need access
• Brute force attacks — using trial and error to input many different login credentials until one works
• Social engineered passwords — tricking an individual into divulging their password
• Compromised privileged identities — illegitimately gaining access to an account that has access to sensitive information or resources
• Man in the Middle attacks — secretly relaying or altering communication between two different individuals

If you’ve experienced one of the above attacks, you’re not alone. 79% of survey respondents said they had experienced an identity-related breach within the past two years; 19% of respondents had one within the past six months. Only 6% of respondents had never experienced this kind of attack at all.

Amongst respondents who had suffered from identity-related breaches, phishing was the most common form: 66% of respondents had experienced this type of attack. Employees were the most frequent target of these attacks — 75% of respondents who had suffered from an identity-related breach said their employees were targeted (as opposed to attacks aimed at applications or partners, for example).

One of the most striking findings from this survey: 99% of respondents said they believed their identity-related breaches were preventable. 71% of respondents said better security awareness training could have helped them avoid an attack, and 61% reported that improved internal processes (such as better alignment between security and identity teams) could have kept their users safe. These numbers are pretty staggering, but not entirely surprising. Overall, they are an indication that more companies should be jumping on the opportunity to lay a security foundation that emphasizes prevention rather than remediation after an attack.

Most companies are still figuring out their approach to identity-related security

When asked about the steps they’ve taken to improve identity-related security, the organization found the majority of respondents were still working on implementing identity-related security outcomes, including:

• Granting privileged access according to the Principle of Least Privilege (meaning each individual only has access to information and resources that are necessary for their job)
• Revoking access upon detection of a high-risk event associated with that identity
• Continuously discovering all privileged access rights and user access rights
• Requiring MFA for all privileged access
• Transparently auditing and enforcing application access
• Using device characteristics and expected user behavior for authentication

Fewer than 50% of respondents said they had fully implemented any one of the above security outcomes. Between 47%-58% of respondents said they were either planning to or in the progress of implementing one. Overall, these results show there is a lot of room for improvement and indicates that many companies are approaching their identity-related security differently.

A forward-thinking approach to identity-related security is the way to go

To learn more about how different companies are managing identity-related security, participants were asked their specific approaches. A little over half (53%) of respondents said they take a practical approach to identity-related security, focusing on preventing the most likely attacks. 23% of respondents have a forward-thinking approach, hoping to avoid any unknown future risks, and 24% of respondents take a reactive approach, responding to existing, known threats.

The research also found that the forward-thinking respondents were far more likely to have implemented the security outcomes listed in the previous section than their practical and reactive counterparts. For example, 61% of forward-thinking companies require MFA for all privileged access, while only 33% of practical-thinking companies and 24% of reactive-thinking companies do the same.

The data shows that the forward-thinking approach works. Only 34% of companies with a forward-thinking security culture have had an identity-related breach in the past year – far fewer than the 59% of companies with a reactive security culture and the 48% of companies with a practical security culture. And 11% of forward-thinking companies have never had an identity-related breach at all, compared to 4% and 6% of reactive- and practical-thinking companies, respectively.

Identity-related security needs some work, but we’re on the right track

Although many companies have suffered from identity-related breaches in the past two years, the coming years don’t have to look the same. 99% of the security and IAM leaders believed the attacks they had suffered from could have been prevented. And as the research found, the best way to prevent this kind of data breach is by adopting a forward-thinking approach to identity. Doing so will make a big difference in defending against unknown risks and keeping identities safe.

Join me and Asad Ali, Sr. Technologist at Thales for a webinar on Thursday, June 4 at 9 a.m. PT to hear about best practices and identity-centric security controls, and how to apply them to broader use cases, such as Zero Trust. Sign up here.