According to Verizon’s 2023 Data Breach Investigations Report, “74% of breaches involved the human element, which includes social engineering attacks, errors or misuse.” The DBIR also finds “50% of all social engineering attacks are pretexting incidents—nearly double last year’s total.”
Today, effective identity and access management (IAM) is more pertinent than ever:
- 49% of breaches by external actors involved the use of stolen credentials
- Phishing made up 12% of external attacks
- Attackers used the exploit vulnerability technique in 5% of breaches
Let’s call it what it is—threat actors are infiltrating your systems by exploiting workforce employees. Thus, cybersecurity programs today must follow IAM best practices to strengthen security at the front line and better protect users from unintentionally letting in an adversary.
The four IAM best practices below will serve as a guide to help you improve your IAM security practices and bolster your overall security posture.
1. Implement a Strong Password Policy
Implementing a strong password policy is a key component of today’s IAM best practices. It’s critical that each user’s password is:
- Sufficiently long as longer passwords are more secure (minimum of 8 characters)
- Complex and should consist of a combination of characters including upper- and lowercase letters, numbers, and special characters (e.g., !, @, #, $)
- Unpredictable, unique, and unrelated to personal information (e.g., names, birthdates, etc.)
- Free of common words, phrases, or sequences (e.g., “qwerty”, “123456”)
- Regularly updated to avoid reusing them across multiple accounts
While strong passwords are important, it may be necessary (and equally crucial) to enable multi-factor authentication (MFA) for high-risk users. MFA requires users to provide additional forms of verification, such as a temporary code sent to their mobile device. More on this in the next section. ⬇️
2. Infuse MFA with an Individual’s Risk Context
MFA, on its own, adds an extra layer of security by requiring multiple verification forms upon login. However, there have been variously identified bypasses of MFA, allowing attackers to gain persistence and bypass this second level of authentication. For example, if an adversary installs malware or finds other ways to steal session tokens, they can bypass MFA prompts with IAM systems knowing.
However, when combined with an individual’s risk context, MFA can be effective. For example, Elevate Identity provides IAM teams with a user’s risk context. Users with rising malware risk factors can automatically be assigned conditional access policies which can drive additional authentication, limit access, apply additional security controls, and more.
➡️ Check out A Brief Demo of Elevate Identity to see this process in action.
3. Get Granular & Enforce Policies Based on Individual Risk
IAM best practices call on security teams to enforce conditional access policies and reviews based on verified user risk behaviors. Instilling blanket access policies like MFA for every employee can lead to poor business productivity and low company morale.
Instead, it’s best to create conditional access policies dynamically mapped and tailored to user risk levels. This way, security teams are enabled with granular control to impose enhanced MFA, device restrictions, or trusted location requirements on a case-by-case basis. To do this effectively, you need a solution like Elevate that ingests and aggregates data from your enterprise to identify and score individual risk based on behaviors and attack history.
For example, say an employee of yours, let’s say his name is Steven, is at a high risk of falling victim to ransomware, or has a history of accidentally downloading malware. Steven is then classified as a high-risk user and would require conditional access policies. However, say another employee, Janice, is historically low risk. There’s no reason for her to jump through validation hoops to access company systems.
Injecting user risk data into identity systems to automate conditional access policies, revoke access based on verified threat signals, and enhance access governance reviews is one of the most critical IAM best practices to date. This will help ensure your people and organization are secure, while keeping your business productivity high.
➡️ Get the eBook on Safeguarding User Identities: A Comprehensive Guide to IAM in 2023 to learn how to proactively authenticate and assess the potential risk posed by a user who is trying to access your systems.
4. Automate Feedback Loops & Nudges to Mitigate User Risk
Identity and access management is not only a program for IAM or security teams to implement and uphold. IAM requires individuals to do their part to mitigate their potential risk. That’s why we believe feedback loops and nudges are one of the IAM best practices for 2023.
A nudge is a subtle intervention or environmental change designed to influence people’s behavior or decision-making. By employing nudge techniques, in addition to enforcing access policies based on risk, security teams can motivate high-risk employees to cultivate better security habits. This ultimately reduces the risk of human-related cyber threats.
Automated ‘nudges’ with helpful tips for improvement can be delivered in Slack, MS Teams, or email to increase security awareness. These personalized touchpoints based on dynamic risk scoring help correct bad behaviors and reinforce good judgment.
“User risk management remains a key area of cyber risk for ransomware, phishing, and lateral attacker movement. By having additional visibility into high-risk users and employees, enterprises can implement another dimension of security controls and tailored security training.”
— Janey Hoe, Vice President, Corporate Development and Investments, Cisco
➡️ Discover how Strengthening Employee Security Habits with Behavioral Science and Nudges is key to smarter IAM.
Final Thoughts
Today’s IAM best practices warrant a proactive approach. The increasing prevalence of breaches involving the human element necessitates a focus on strengthening security at the front line—your people. Following these 4 trends and implementing supportive IAM technology that seamlessly integrates with your current tech stack, will help you administer these IAM best practices effectively.
Don’t wait to take action—book a demo with Elevate Security today and fortify your organization’s defense against cyber threats through smarter IAM. Your security and business productivity depends on it.
