One of the consequences of the business and social disruption of 2020 has been the significant lift in cybersecurity risks, as malicious actors have sought to capitalise on individuals working from home and networks increasingly cloud-orientated. As noted by the Australian government in March: \u201cSince early March 2020, there has been a significant increase in COVID-19 themed malicious cyber activity across Australia,\u201d and these threats, along with the ongoing push towards cyber-readiness for Australian businesses, led the government to announce a $1.35 billion Cyber Enhanced Situational Awareness and Response package.\nThis is an issue that is of great interest at the board level of organisations, and CIOs need to have answers. As noted in a report on the escalating cybersecurity threat, the Institute of Company Directors of Australia wrote \u201cThe fourth edition of the ASX Corporate Governance Council\u2019s Corporate Governance Principles and Recommendations highlights the requirement for directors to regularly assess the skills, knowledge and experience required to deal with new and emerging business and governance issues. Cybersecurity should be one of these key issues.\n\u201cBoards do not necessarily need to include IT professionals among their ranks, but as a consequence of the accelerating frequency of cyber-attacks and cybercrime, directors need greater depth of understanding of these risks.\u201d\nWhat CIOs need to be able to answer\nOne of the most common vectors for an attack on the enterprise is via the individual, with phishing and social engineering techniques being used to obtain passwords and \u201clegitimate\u201d access to a network.\nAt the same time, a key priority for CIOs and IT in 2020 has been one of flexibility and enablement \u2013 how can they open the network to allow remote access, and what can be shifted to cloud-based environments? This has resulted in a massive expansion of the \u201csurface area\u201d of most enterprises, and that too has added to the IT risk that organisations need answers to.\nStandard solutions around security are not adequate \u2013 a firewall doesn\u2019t provide protection if the malicious actor already has access, and the explosion of threats has made reactive solutions, like anti-viruses, inefficient. On the other hand, if security is too tight and cumbersome, then the CIO and IT team run the risk of employees looking for less restrictive solutions to do their work, and in circumventing the security, open that data to a great deal of risk over insecure public cloud services.\nThe solution isn\u2019t necessarily obvious. According to an Oracle and KPMG Cloud Threat report, 78 per cent of organisations use more than 50 cybersecurity products to protect the environment, so it can be difficult to narrow down exactly where the solution to this pressing challenge might be. However, many security teams will find their answers from taking a new look at the Identity and Access Management (IAM) systems that the enterprise is using.\nThe benefits of efficient IAM to the modern enterprise\nA zero-trust approach to each device is a necessary answer to the proliferation of BYOD devices and the decline of the physical perimeter. At the same time, the user experience needs to be efficient. Employees can\u2019t waste time resetting one of the dozens of passwords that they need for the various applications in the environment. The customer certainly shouldn\u2019t need to wait for an employee to work out how to login to a CRM system or similar to access their data. And, critically, as far as the CEO and board is concerned, accountability needs to be high \u2013 the CIO needs to be able to demonstrate clearly defined processes around access and how changes to access (when new people are brought on or existing employees leave) is handled. Furthermore, there needs to be clear audit trails to support governance requirements.\nA well-designed and implemented IAM solution will address all these challenges, and offer the CIO a number of other cybersecurity benefits, including:\n\nAutomation and systematic implementation to reduce the risk of human error.\nSecurity across all operating system environments, regardless of set-up \u2013 an IAM solution should apply to Android, iPhone, as well as Windows, Mac, and Linux environments.\nMulti-factor authentication, giving control of login validation to the employee based on their needs and preferences, such as phone calls, text messages, or mobile app notifications.\nThe potential for physical tokens, including biometric measures like facial, fingerprint and voice recognition. This mitigates against the risk of \u201cunauthorised mobile porting,\u201d whereby a hacker tricks a phone company into transferring a target\u2019s mobile account to a new sim so they can access the SMS-based two-factor authentication.\n\nSecurity is a governance concern, and company directors have noticed that COVID-19 has escalated the risk profile of IT security to extreme levels. CIOs will be called on to provide highly accountable solutions that put the users, rather than the network, devices or \u201cperimeter\u201d at the centre of the security strategy. For many CIOs, improving the use of IAM will address the concerns that their board have while enabling the organisation to work in the way that modern conditions demand.\nFor more information on IAM and how it is addressing the security challenges of the modern enterprise, click here to download the whitepaper.