Why identity is everything when it comes to fighting cybercrime


The modern working landscape has become increasingly digitised, and cyber threats are now commonplace for many businesses.

When you consider how many companies now keep information in cloud-based applications, increased security measures are incredibly important.

According to McAfee, 83% store sensitive data in the public cloud, and one in four have had such data stolen. Almost 60% of those surveyed attributed the theft to a malware infection traced back to the application. On top of this, bring your own device (BYOD) policies are frequently adopted by employers. Personal devices may not have the company approved security tools in place, nor the necessary configuration to ensure that anything accessing corporate resources is compliant, thereby unnecessarily increasing a company’s risk posture.

The importance of identity is nothing new when it comes to cybersecurity. Each of your employees will already need to verify who they are through username and password combinations to gain access to particular company resources. However, a username and login don’t equate to identity, it just means that someone has access to those login credentials, hence the reason why password-based authentication isn’t enough to protect modern companies.

Identity and access management (IAM)

Identity and access management (IAM) processes are crucial if you want to protect your business’s sensitive data. IAM refers to a framework of policies, processes, and technologies which allow enterprises to manage the digital identities of everyone accessing the company network. There are various components to IAM including granular access permissions, multi-factor authentication (MFA) and identity federation—which links an individual’s electronic identity and assets, and stores this information across a number of identity management systems.

Role Based Access Control (RBAC)

IAM invariably comes with some form of granular access management like role-based access control (RBAC), which helps determine the resources an individual can access, based on certain criteria.

To implement this, you would need to examine every employee’s role and what they need to do their job productively. With this system, simply being part of the team won’t grant you unfettered access within sanctioned systems, for example, the more junior you are, the less likely you are to have access to sensitive information. Control can be implemented at both broad and granular levels and automation can be used to mitigate the administrative burden for the IT team as well as help with providing and revoking access.

Single Sign-On (SSO) and Zero Trust

Rather than using a rudimentary username and password approach, you’re much better positioned to protect your resources if you implement single sign-on (SSO). This means that employees only need to input their login credentials once for a session to access permissible resources.

SSO is very important for security as it helps overcome the problem of having to manage multiple username and password combinations. If a user is required to switch between different apps and websites, and enter their details multiple times—bearing in mind that 59% of people use the same passwords for every account—this gives a cybercriminal numerous opportunities to attempt to steal their details and potentially access a great deal of sensitive data on the corporate network. However, if employees only sign in once, the chances of this happening are greatly reduced.

Given the frailty of passwords—roughly 74% of data breaches involve using privileged access credentials—SSO can be a crucial part of IAM and, in turn, Zero Trust. This phrase refers to a model emphasising the importance of identity in the cybersecurity process, and many business owners are leaning towards this to help accurately verify who a user is. As explained in their guide to Zero Trust security, cybersecurity specialists Wandera note that this approach “replaces the tenet of ‘trust but verify’ with ‘never trust, always verify’”. Even if somebody has access to the corporate network—which theoretically shouldn’t harbour any unauthorised personnel or devices—this doesn’t mean your data is safe from insider threats, or cybercriminals breaching your security solutions.

The importance of multi-factor authentication

While RBAC is a form of granular access management which is part of IAM, and can therefore be used in a Zero Trust model, your employees would need to do more than simply enter a username and password to access company resources. Multi-factor authentication (MFA) is crucial in protecting your data, as this requires more than two means of authentication before a user’s identity can be verified and they can access the required information.

If a hacker attempted entry using an employee’s user credentials, MFA would require additional credentials to verify the individual attempting access. This additional authentication could be in the form of a unique code sent directly to an employee’s personal phone, or even their biometric data such as fingerprints. MFA can also be combined with SSO for heightened security through software like OneLogin’s Secure Single Sign-on Solution, which uses “policy-driven password security and multi-factor authentication [to] ensure that only authorised users get access to sensitive data”.

Ensuring that identity is proven to an accurate degree of precision as well as tightening controls and user permissions will inevitably protect corporate resources better than it has done in the past.