Identity and access management immaturity cause security incidents

Ponemon Institute finds only 16% of enterprises have fully mature programmes; 56% average three identity-related data breaches in last two years.

  • 2 years ago Posted in

Saviynt and Ponemon Institute have released the inaugural State of Enterprise Identity research report. The findings emphasise the modern identity security challenges that enterprises face in the digital era, and underscore the importance of comprehensive Identity and Access Management (IAM) strategies to dramatically reduce security risks that often lead to costly data breaches, cyber attacks, and regulatory compliance missteps.

According to research findings, only 16% of respondents (and just 15% of EMEA-based respondents) have a fully mature IAM strategy in place, which is characterised by fully operating programmes, skilled workers, and C-level and board executive awareness. The remainder are currently dealing with inadequate budgets, programmes stuck in a planning phase, and lack of senior level awareness.

As IAM programmes fail to get off the ground, the number of digital identities continues to skyrocket, creating complex enterprise environments that require new strategies, investments, and technology to close security gaps. In fact, over the past two years, more than half (56%) of respondents claim their business had an average of three data breaches or other access-related security incidents. Further, 52% of these respondents claim the breach was due to lack of comprehensive identity controls or policies.

“We’ve found that most enterprise IAM programmes have not achieved maturity, leaving companies struggling to reduce identity and access related risks,” said Jeff Margolies, Chief Strategy Officer, Saviynt. “Our research findings should serve as a wake-up call to C-level executives and security leaders: the absence of a modern IAM programme fuels the risk of rising identity and access-related attacks, and their financial consequences.”

Limited visibility and inadequate controls have become the new normal

Enterprise-wide visibility is critical to reducing risks in privileged user access yet today’s complex enterprise ecosystems only impede transparency. According to findings, only 35% of respondents are confident that they can determine privileged users are compliant with policies. That same percentage (35%) have high confidence in the effectiveness of current security controls preventing internal threats involving the use of privileged credentials. The number one reason for lack of confidence in achieving visibility of privileged user access is stated by 61% of respondents, citing that they cannot keep up with the changes occurring to their IT resources.

Beyond the lack of confidence in user access controls, there are compliance and regulation issues to address. Data shows that 46% of respondents (and 43% of those in EMEA) say their business failed to comply with regulations because of access-related issues. Beyond lawsuits and fines, many victims have suffered from loss of revenue, customers, and reputation, but almost two-thirds of respondents (64%) say downtime was the biggest consequence of compliance failures.

“While these numbers certainly raise concerns, our research also shows that many organisations are recognising the benefits of a converged identity platform, which combines multiple identity management capabilities into a single cloud solution to unify controls, improve visibility, and reduce risk. In fact, 71% of respondents are actively considering, or plan to adopt, converged identity governance & administration (IGA) and privileged access management (PAM) solutions to reduce costs and provide frictionless access to enterprise resources,” continued Margolies.  

Additional key report findings:  

EMEA organisations behind the curve on IAM

EMEA organisations are slightly behind their US counterparts; only 15% describe their approach to IAM as mature

42% of EMEA respondents admitted inadequate ID controls and policies had caused compliance failures

Compared to US organisations, EMEA-based companies are less likely to face lawsuits (19% vs 36%) or regulatory fines (23% vs 32%) as a result of non-compliance, but they are more likely to lose customers (54% vs 45%)

Automation can ease the identity management burden

56% claimed that granting and enforcing privileged user access rights required too much staff to monitor and control

51% are unable to keep pace with the number of access change requests

The power of the cloud (and IAM)

52% say their organisations’ cloud transformation programme is already integrated with their IAM strategy

51% have seen an improvement in their IAM effectiveness

Remote & hybrid workers still present security risks

Only 28% of respondents say their organisations are determining if remote workers are securely accessing the network

37% report the number one step to secure the hybrid, remote workforce is screening new employees

Ransom attacks in the cloud are a perennially popular topic of discussion in the cloud security...
Talent and training partner, mthree, which supports major global tech, banking, and business...
Cloud-native organisations to gain full understanding over every identity in the cloud, secured...
MSSPs identify regulatory compliance as additional factor as organisations seek to shift...
Orange Business (Norway), a global leader in digital services, has selected ARMO’s advanced...
Gigamon and Exclusive Networks have expanded their existing distribution partnership, broadening...
Trustwave and Cybereason have announced a definitive merger agreement offering a comprehensive and...
FortiDLP’s unified approach to data protection enables enterprise organizations to anticipate and...