According to Verizon’s 2021 Data Breach Investigations Report, 85 per cent of security breaches involve the human element. These breaches, said Shiven Ramji, CPO, Auth0, come in two scenarios.
“In the first you’re working at a company and you want access to an application – a SAS application or one of your own internally built applications,” said Ramji at a recent ITWC briefing. “In the second you’re a consumer – visiting websites and using applications.”
Regardless of the scenario or context, you’re potentially talking about a big and inviting open door for cyber-attackers. “Usernames and passwords, in whatever context or scenario, draw attacks,” he said. “These attacks may be different by context, but in both cases they can do a lot of damage and can heavily impact your organization.”
As to specific impacts, Ramji said they can be company-wide and are potentially game-changing.
“Not having a secure and seamless way to provide access to your costumers will impact transactions – subscriptions, signups et cetera. Regardless of who your internal stakeholders are, not doing identity right can severely impact revenue. But it can also lead to fraud and abuse, and from there privacy violations and data breaches.” When it goes this far, said Ramji, it can do severe damage to a company’s reputation.
Register to participate in: “Protect Your Customers’ Identities Online”
On the workforce side it’s different, he said, because often the compromise or takeover involves your internal systems. “And so lots of crazy things can happen, whether a ransomware attack or another situation where your system is directly compromised. You might lose access to your data or end up making changes you did not intend to make.”
Good security depends in no small part on the people inside an organization – in how committed they are to “the cause” and their not wanting to be a weak link. A strong security culture touches and affects not only these people inside organizations on a day-to-day basis but also influences the things a company provides to customers.
Ramji talked about the importance of gaging your people’s interest in taking on security as a core competency (it’s not a given that the interest will be there).
“Whether you have a team of eight or a team of 24 dedicated to identity and security, it’s important to ask your people if identity is or will be a core competency,” he said. “If the answer is ‘no,’ then this is where an identity service provider like ours can help you get to scale and free up your team so they can focus on problems that really matter.”
It really just boils down to doing things yourself versus working with experts.
The Right Tools
Many CISOs would agree that, had they had the right tool, they would have been able to avoid falling victim to a cyber-attack. But tools come in many forms, said Ramji.
“First you look at the basic people, processes, and awareness,” he said. “Security awareness programs are important, and companies should continue to invest in those. But companies should also try to make these programs fun and engaging. A little effort in this department can bring excellent returns.”
Ramji also recommends tabletop exercises.
Run mock scenarios,” he said. “Run a mock phishing campaign internally, and see how many of your employees fail. The point is not to embarrass anybody but to learn. These exercises are also a great way to see how prepared teams actually are.”
Now on demand: Protect Your Customers’ Identities Online