81% of passwords are hacked: Time to step up the authentication game
81% of data breaches are due to poor credential management and hacked passwords, in a case of what Centrify is dubbing 'deja vu'.
Citing statistics from Verizon's 2017 Data Breach Investigations report, hacked passwords have jumped from 50% to 81% in the last three years.
For Centrify's senior director of APAC sales Niall King, it's a case of deja vu - and security is still not working.
“For years, we've seen compromised credentials as a primary cause of data breaches,” he said.
“Cyber criminals find the path of least resistance to their target and today that path leads straight from users with self-managed ‘simple factor' passwords. Since most recent breaches leveraged privileged credentials to gain access to the organisation, securing privileged access in today's hybrid enterprise is mandatory in achieving a mature risk posture. Passwords alone are not enough," he explains.
He believes that a new approach is needed to password security that brings together identity brokering, multi-factor authentication enforcement and just-in-time privilege.
“While most privilege solutions traditionally vaulted the credentials for shared accounts on-premises, password vaults alone do not provide the level of privileged access security required to stop the breach. Organisations need is a truly integrated solution that combines password vaulting with brokering of identities, MFA enforcement and just-enough and just-in-time privilege, that secures remote access and monitors all privileged sessions.
The company has been pursuing this strategy, with a heavy concentration on risk-based multi-factor authentication for enterprise users.
The company has also embraced machine learning as part of its behaviour profiling technology.
"An office worker who follows a set routine by typically logging in from a known device is identified as low risk, allowing immediate access to resources without extra authentication. However, logins from another country, after hours or from an unfamiliar device is flagged as a high risk, so would be blocked or at least required to provide extra authentication factors," the company says in a statement.
King believes that better authentication is far more efficient that password-only security.
“Reducing the friction for users through more choices in authentication factors, fewer prompts and a more consistent user experience, will go a long way toward reducing reliance on passwords alone. The bottom line is that moving beyond password-only security pays off," he concludes.