Identity Protection Can’t be Taken for Granted Anymore

Would you be surprised to learn that only 10% of organizations manage to get their PAM solution fully onboarded? That less than 7% manage to get MFA protection for the majority of their critical resources? That only 20% of identity security teams are confident in their ability to use these solutions to prevent malicious access with compromised credentials?

A new report by Osterman Research, named ‘The State of the Identity Attack Surface: Insights into Critical Security Gaps’, reveals that the actual coverage of identity security solutions and practices is materially lower than most people think. A global survey among hands-on identity security practitioners shows that high exposure to account takeover, lateral movement, and ransomware spread is a norm rather than an outlier. In plane words: adversaries with compromised credentials encounter low to zero defenses when accessing targeted resources.

The Protection of Identity Security Control Such as PAM and MFA Can’t be Taken for Granted

The findings in report challenge the implicit trust that the purchase and deployment of an identity security solution equals protection. It is for you to take to your CISO and ask: ‘how do we stack up against what this report claims as the standard?’. Maybe your organization is one of the few that have all identity protection lined up. But maybe there’s a gap in you MFA, PAM, or service account protection. You’d want to discover and resolve it before adversaries do.

Critical Gap: Real-Time Protection Against the Malicious Use of Compromised Credentials

The report goes over all the parameters that build up an organization’s ability to have real-time protection against identity threats such as the scope of covered resources and protected users. From the executive perspective, the importance of the report is it’s ability to provide you with the right questions to surface any existing gaps in your organization’s identity security posture.

For example, the right question is not ‘do we have MFA?’ bur rather ‘does our MFA protection applies to all our critical resources and users?’. Not ‘do we have PAM?’ but ‘Is our PAM solution fully onboarded or did we give up and settle for partial protection only?’

Asking the Hard Questions is the Beginning of the Solution

As an executive, you operate under the assumption that the people that are directly accountable for the cybersecurity of your organization are prioritizing the purchase and deployment of the right solutions. This is their expertise, and you rightfully trust their judgement.  However, as a business leader, you also know that people who are in the trenches of day-to-day work can often miss critical changes as they happen. Your security stakeholders are not ideally placed to zoom out of their 24\7 hand fights with the surrounding cyber threats. But someone needs to ask the tough questions that can’t take anything for granted just because this is the way things were always done.

Click here to download the report and gain insight into the identity protection questions you need answers to.