5 Reasons You Should Start with Identity to Protect Against Account Takeover

Introduction

For employees, contractors, and consumers, a new era of digital business has begun. The lasting shift into remote work means more and more business is being done on personal devices—from the comfort of home, coworking spaces, or the local coffee shop. Eighty percent of company leaders plan to allow remote work at least part of the time for the long term, and 47% are enabling permanent work from home environments.

Alongside the rise in remote work, there’s been a staggering rise in security threats, in particular account takeover (ATO) attacks, increasing at an alarming 282% between Q2 2019 and Q2 2020. This is a trend we’ve continued to observe in 2021. An ATO can impact anyone who has online accounts, login credentials, and access to infrastructure or applications—and today, that’s nearly everyone.

But, what is an ATO attack, and how does it work?

ATO occurs when a bad actor illegally accesses a user’s account and steals the “stored values” in this account—including personal information, financial information, and any credit the user has with a business. When these cybercriminals have infiltrated the account, they can do major damage, such as posting spam or moving laterally through the organization to target other systems and data.

Typically, fraudsters stake their success on the tendency for users to choose weak passwords, opening themselves up to brute force attacks such as credential stuffing and password spray. This also allows them to attempt ATO attacks at scale using automated bots. However, these attacks can also be human-driven, and begin with a data breach or phishing attack that steals a legitimate user’s login credentials.

In a global survey by IDG, commissioned by Okta, 80% of IT, security, and developer leaders say that weak passwords, phishing attempts, and credential sharing have impacted their security posture, with four in ten saying that it has greatly affected it. That comes as no surprise, considering even minor incidents can threaten monetary loss, increased chargebacks, regulatory fines, and reputation loss.

Many organizations see the looming threat that ATO attacks pose t