July 6, 2016 By Patricia Diaz 2 min read

In the early 1900s, Henry Ford discovered and addressed the weakest link in auto manufacturing: the production process. By creating the assembly line, Ford not only made the Model T widely available and affordable, but he also precipitated a global revolution in manufacturing, reshaped commerce and mobilized the world.

If you think of the world’s greatest inventions, such as Ford’s assembly line, you will find they all successfully address the weakest link in their respective fields. But when it comes to avoiding a data breach and improving security, what is our weakest link? Unfortunately, the answer is people.

Our heavily reused “123456” passwords or our susceptibility to clicking on phishing emails is not the biggest problem. One of the most significant hurdles is our lag in adopting technologies that truly target identity and access management (IAM) threats.

The Proof Is in the Pudding

The Verizon “2016 Data Breach Investigations Report” found that 63 percent of confirmed data breaches involved leveraging weak, default or stolen passwords. You can interpret this finding in one of two ways: The first and most obvious way is that 63 percent of data breaches are due to careless users. In fact, the report stated that the common threats associated with attacks involving legitimate credentials were, among others, stolen credentials and social phishing.

Now, the other way to interpret the statistic is to consider that if something as simple as stealing a user’s credentials is enough to expose sensitive information, organizations are not sufficiently utilizing intelligent access management practices.

I agree with the latter reasoning. Henry Ford did not lay blame on his plant workers for being the weakest link in his manufacturing process. Instead, he developed the technology that enabled his employees to work eight times faster — and therefore cheaper — than they could before.

Similarly, we should not blame end users for being the weakest link in security. Instead, we should acknowledge that users are the victims of sophisticated, continuously evolving malware and tricky phishing scams. We should enforce appropriate policies that can control access beyond easily stolen usernames and passwords.

Authenticating Beyond the Username and Password to Prevent a Data Breach

Back in 2004, Bill Gates predicted the death of the password. But now, 12 years later, it seems like we are clicking on “forgot password” more than ever. Given the rise in major data breach reports in recent years — and the role that stolen credentials play in those incidents — it is clear that many current access technologies might have been appropriate 12 years ago, but not today.

It is more important than ever to authenticate beyond username and password. Enforcing risk-based access policies can dynamically step up authentication in high-risk situations.

Risk-based access operates under a set of policy rules that determine, based on a calculated risk score, whether an access request should be permitted, denied or challenged. Attributes that impact the risk score of a specific request can include IP reputation, the user’s behavioral patterns, device characteristics and more. For instance, a banking application could take into account both the amount of funds looking to be transferred by a user as well as the user’s physical location to determine if stronger authentication is needed or if the user should be denied authorization to perform the requested transaction altogether.

Risk-based access allows for organizations to create policies that control access dynamically, adapting to the ever-changing ways users are accessing and consuming information. There are enterprise-grade IAM solutions that secure access points and corporate networks through risk-based access capabilities.

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today