The end of the enterprise password protection paradigm


The leading cause of data breaches is stolen passwords, according to Verizon’s 2016 Data Breach Investigations Report. Passwords are the proverbial weakest link, and if a password is compromised, it can be difficult — if not impossible — to fully contain the damage. Imagine if you built a fortress to protect your valuables but you unknowingly, left the back door wide open. Just because you have a sophisticated security infrastructure doesn’t mean that your company’s data is protected.

Large enterprises such as Anthem, Chick-Fil-A and Sony have all been recently hacked, exposing their customers’ confidential information, opening them up to significant liability and hurting their brands for the long term. Consumers tend to distrust companies more and spend less with them once they’ve been hacked, meaning that one successful phishing scam could be all that stands between your company and a significant loss of market share, now and in the future.

Why is the password wreaking havoc in hybrid enterprises?

The reason why passwords are fundamentally flawed as the primary barrier between hackers and your company’s data is simple: human nature. We have a natural tendency to develop habits based on the simplest and easiest ways to attain our goals. In terms of IT security, this means that people usually create passwords that are easy for them to remember, and then use the same password for virtually every device or application that requires login credentials.

Because of this tendency, hackers need only to learn a single password used by one person in your enterprise to breach your IT infrastructure. In fact, 95 percent of security incidents involve hackers harvesting credentials from devices, according to an Acunetix analysis of Verizon’s 2015 Data Breach Investigations Report.

Furthermore, businesses tend to be lax in restricting former employees’ access to systems when they no longer need it. According to a report by Osterman Research, 89 percent of ex-employees keep the login credentials they had used to access their former employers’ applications, and 45 percent of them said they still had access to sensitive information after leaving a company.

This implies that there could potentially be a huge number of active login credentials granting access your company’s confidential data floating around waiting to be snatched by a hacker and used against you.

Protecting your organization today requires a paradigm shift

Despite a dramatic increase in spending on IT security, hackers continue to create significant problems for businesses. Worldwide cybersecurity spending is expected to increase from $75 billion in 2015 to $101 billion in 2018, yet in 2016 nearly 3,000 hacks resulted in the disclosure of 2.2 billion sensitive documents from companies such as Yahoo, Dropbox and Cisco. According to Symantec’s 2016 Internet Security Threat Report, no business is too small to be hacked, either: 43 percent of cyberattacks target small enterprises.

The threat that hackers present becomes even greater with the expansion of the internet of things (IoT), which gives hackers exponentially more points of entry to your IT infrastructure. A recent shutdown of major websites such as Amazon, Twitter, Spotify, Tumblr, Reddit and PayPal resulted directly from hacked IoT home devices.

All this information suggests that there needs to be a paradigm shift in the way that IT and security professionals think about protecting their organizations from breaches. The bad guys are already there: you must assume that your network is already compromised and work to secure individual systems and applications. For example, imagine what you would do to keep your home safe if you knew intruders were already inside — you’d lock the doors to the most important rooms.

The funny thing about enterprise password management is that in most cases you shouldn’t trust using only a password! Some of the ways to transcend the vulnerabilities presented by a password-oriented security infrastructure include the following:

Multifactor authentication: This means using two or more factors to verify a user’s identity and grant access to sensitive information. These factors can include something that employees know, such as their passwords, combined with something they have, such as keycards, and something inherent to who they are, such as thumbprints or other biometric identifiers.

Just-in-time access control: This means access to sensitive information is requested and granted on an as-needed basis, and that access is only available within a limited time frame before being removed. Just-in-time access control eliminates permanent access to confidential data and removes the possibility for hackers to take advantage of old credentials.

Least-privilege access: This means restricting access privileges to the bare minimum individuals need to accomplish specific role-based tasks, so that they can’t creep into other areas where they’re not supposed to be.

Protecting your admin credentials is critical, and while many security applications are available to protect against malware and phishing, none of them can prevent a security breach once credentials have been compromised. Multifactor authentication and other tactics that go beyond the traditional password protection paradigm can help you shore up your company’s IT infrastructure security.