Last year my colleague Chris Webber predicted that “Breach Headlines will Change IT Security Spend.” Unfortunately the breach headlines this year were even more striking than most could predict. 2015 breaches involved high-profile criminal and state sponsored attacks. Millions of personnel records of government employees, tens of millions of records of insurance customers, and hundreds of millions of customer records from various other companies were among the information compromised. This year we even heard of a BILLION dollar bank heist!
Many of these companies had implemented advanced malware protection and next-generation firewalls, and delivered regular security training sessions for their employees. Yet the breaches are still happening. What we know from cybersecurity experts such as Verizon and Mandiant is that nearly half of breaches occurring today are due to a single vulnerability that is still not adequately addressed.
Compromised user credentials, AKA the humble username and password, can provide outsiders with access to an organization’s most critical data, applications, systems and network devices. Through phishing, trojans and APTs, hackers today are focused on these digital “keys to the kingdom,” which are used to access sensitive data and systems.
For 2016, companies will (and must) adopt measures to mitigate the risk of compromised credentials. Yes, complex and unique passwords are a start but will never be enough. Multi-factor authentication will be implemented more broadly and across more apps and devices, adaptive access will be used to detect and stop suspicious login attempts and granular privilege management will be adopted to reduce the impact of compromised credentials. Companies will start to accept that compromised credentials are the new normal and will take steps to mitigate the risk they represent.