Identity Governance Blog

October is Cybersecurity Awareness Month: Do You Support Effective Identity Governance?

During Cybersecurity Awareness Month, ensure you make your identities and those of your business, your friends, and your family harder targets for hackers.

Since 2004, the US government has recognized October as Cybersecurity Awareness Month and encouraged the public and private sectors to dedicate time to collaborate to evangelize the importance of cybersecurity. As a market-leading provider of solutions for identity management and access governance, Omada takes cybersecurity awareness very seriously. In this post, we’ll highlight the importance of effective identity governance in a comprehensive security strategy and give you tips on what you can do – both as a business leader and a user of information technology – to make your business, your customers, and yourself harder targets for hackers attempting to steal your identity.

 

Identity Governance and Administration awareness is foundational for cybersecurity

Identity Governance and Administration (IGA) plays a crucial role in an overall cybersecurity strategy by ensuring that the right individuals have access to the right resources at the right times for the right reasons. Very often, security breaches are the direct result of unauthorized individuals having inappropriate access to sensitive or proprietary resources for nefarious purposes. Some cybercriminals simply want to create headaches exclusively; for example, a “script kitty” designed to cause chaos for fun. Others break into IT architectures to exfiltrate data about you, your colleagues, and your customers so they can sell it to identity thieves or use it to extort enterprises. Many of the techniques used to breach security systems are astonishingly simple while others are deviously complex. Some hackers are lone wolves operating out of their homes while others are well funded by nation-state sponsors and supported by IT experts. These malicious hackers have a targeted mission to find secrets about a foreign country or sell identities to further fund their efforts. In all cases, there are two conventional truths about cybersecurity: hackers will never stop trying to break in to steal your data and there is no silver bullet to stop them. Clearly, protecting identities is an ongoing challenge and there are actions you can take to decrease the chances that you and your business will be compromised.

 

Get a handle on access control and drive better identity governance across the enterprise

Effective access control is fundamental to minimizing the risk of data breaches and unauthorized access in any enterprise. Your IGA system must manage user identities and access rights in a way that ensures only authorized personnel can access sensitive information and systems. For most enterprises, this means eliminating over-permissioned access to sensitive data and applications. Findings from Omada’s The State of Identity Governance 2024 show over 95 percent of senior IT and security leaders report grave concerns about identity-related threats, possibly due to over-permissioned access to systems and applications. In fact, 72 percent of respondents agreed that users have unnecessary access and overly permissive accounts. This data suggests there is work to be done on this front.

 

Zero-Trust “next levels” identity governance for the enterprise

Zero-Trust is a security model based on the principle of maintaining strict access controls and not trusting anyone by default, even those already inside the network perimeter. Consequently, it is an approach that is set to “deny” and that sees everything and everyone as a threat. Most enterprises want to create a mature Zero-Trust model but are far from making it happen. Statista reports that 97 percent of companies claimed to have Zero-Trust security initiatives in 2022. However, one leading analyst firm reports that just one percent of companies currently have cybersecurity programs that operate on the assumption that threats may already exist within their networks and that both external and internal actors could potentially be malicious. Their systems do not automatically default deny every account, device, or application. They do not enforce strict privileged access controls and continuous verification of identities and devices, regardless of their location within or outside the network. In other words, they are not mature enough to meet the definition of Zero-Trust.

As enterprises move more data and resources to cloud-hosted environments, preventing bad actors from accessing sensitive information is more critical than ever. A Zero-Trust authentication access policy enforcement framework is fundamentally different from what most enterprises feature in their architecture. Zero-Trust requires centralized policy management, auditing, and decentralized enforcement. A recent Forrester report asserts that enterprises must acknowledge the Zero-Trust model cannot reach maturity without integrated governance, identity management, self-service, authentication, and authorization policy management and enforcement. Creating a mature Zero-Trust model is the best defense against security breaches in any enterprise.

 

What individual users can do to keep their identities secure

Virtually all of us use dozens of IT systems in our professional and personal lives. We hope that the organizations with which we do business are implementing best practices to protect our identities and sensitive information. That said, this must not stop us from using individual best practices to keep our data safe. Here are some actions you can take to protect yourself and others:

Use strong passwords

A survey conducted by NordPass in 2024 revealed a rapid growth in password usage for personal purposes, with an increase of nearly 70 percent in just over three years. Today, the average person uses 168 passwords. Most people believe that using simple passwords (e.g., abc123) or common identifying information like birthdays and pet names is sufficient. This is, in fact, like locking the door but leaving the key in the lock. It does little to protect your data and personally identifiable information.

It is critical to create unique strong passwords for all of your accounts. Using a “password manager” to create and store strong passwords is one of the easiest ways to protect yourself from hackers attempting to gain access to your accounts and stealing sensitive information, data, money or identities.

Don’t ask, don’t tell (your login credentials)

When you share login credentials, you run an unnecessary risk of identity theft. Once you pass that information to another person, you have no idea how and when it can be accessed. Most responsible organizations train new employees to never share this information because of the exposure it creates, and you must never share personal login credentials, either.

Enable multi-factor identification

Multi-factor identification (MFA) is a method of confirming a user’s claimed identity in which a user is granted access only after successfully presenting two or more pieces of evidence (from SMS, email, authenticator, etc.) to an authentication mechanism.

Recent studies report that automated security attacks fail when MFA is in place and the cost for attackers rises exponentially as barriers intensify. Google reported: “Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66 percent of targeted attacks that occurred during our investigation.”

If a service provider supports multi-factor authentication you should use it, even if the secondary authentication is as simple as SMS-based one-time passwords.

Engage in identity security “wellness checks”

Fast-moving advances in digitization to drive essential business processes have left many people in our personal lives behind the awareness curve when it comes to protecting personal identities. Check in with friends and family that you suspect may be at risk of inadvertently providing login credentials to sensitive accounts. Explain how phishing works and what are the hallmarks of a phishing attack. Help them find and use a password manager and explain how MFA works and why it is important. Most importantly, stress that effective cybersecurity depends on questioning abnormal activity and stopping to check before passing along information is always the best practice.

 

Where to go for more help

Visit cisa.gov to find out more about the enduring theme of Cybersecurity Awareness Month “Secure Our World” and learn simple ways to protect yourself, your family and your business from online threats.

Learn more about implementing a modern IGA for your enterprise from Omada.

 

Let's Get
Started

Let us show you how Omada can enable your business.