Business leaders across every industry are bracing themselves for a tough year ahead.
The economic outlook is challenging and many organisations are having to make tough decisions to bolster corporate resilience for the short and long term future.
Unfortunately this often means making layoffs and losing valued team members. This is never an easy thing for a business to do, but for many employers it has already proved necessary. More than 79,000 workers in the UK were made redundant in the three months to October 2022.
With more layoffs likely in 2023 – as well as many instances of company restructuring, market consolidation and increased employee churn — it is vitally important that organisations are alert to the potential data security risks that these periods of rapid change can bring.
Identity siloes and entitlement creep are latent security threats
IT and security teams have a daunting task to keep employee and customer data safe in a fast changing environment and, as is often the case within the modern enterprise, digital identity is central to this challenge.
The average tenure of a UK employee is nine years according to the CIPD. During their employment, a worker will gradually accumulate permissions and access to many different systems, tools and resources, as their roles and responsibilities evolve. Security and IT teams, often stretched and overwhelmed, have to handle access requests, approvals and certification reviews manually, making it all too easy to forget to remove some or all access from a previous role.
The presence of identity siloes within organisations adds to the complexity. An identity silo occurs when a department or business unit deploys and grants access to their own applications or systems, outside the control of the IT team. This is typically done with good intentions, perhaps to facilitate a digital transformation project or to avoid delays to work. However, this kind of shadow IT is another latent threat for businesses as it means that the IT team has no single view of their workforce’s digital identities and the access that each individual might have to sensitive applications or information.
Combined, entitlement creep and identity siloes increase the likelihood of insider attacks to almost catastrophic levels. It’s no surprise that nearly 50% of identity governance and administration (IGA) deployments, which enable companies to give the right people the right access to the right resources, are in ‘distress’ according to Gartner, due to the sheer complexity and volume of workforce upheaval.
Just as a cyberattacker uses compromised consumer credentials to stuff and hack other accounts, a malicious actor can do the same with workforce credentials and unnecessary provisions increases the risk of a company-wide breach. This is always a risk, but when major changes are being made to the workforce it can quickly become a critical vulnerability.
This threat can take different forms too. For example, when an employee moves to a different organisation but still has access to important files that IT is unaware of, the user retains access to those overlooked or orphaned accounts and can leverage that confidential information however they want.
Either way, if an employee’s workforce credentials are compromised, it’s all too easy for malware to make its way into an organisation’s network and spread, putting the whole organisation and its customers at risk.
With nearly 50% of data breaches being caused by unauthorised access according to ForgeRock’s Consumer Identity Breach Report, unchecked entitlement creep could lead to a catastrophic data breach and all the negative consequences that entails — legal, financial and reputational. In a fraught economic environment, it’s a risk that businesses can ill afford to take.
Using AI to improve identity governance and empower IT
Taking the above into account, businesses face a conundrum: how can they balance requests for immediate application access while reducing the risk of entitlement creep and insider threats associated with this process?
Too often, existing identity governance solutions fail on both counts because they rely on static data. This means that, as role profiles and entitlements change over time, these solutions don’t keep access permissions up to date.
The key to walking back entitlement creep is to remove the burden placed on IT teams and make use of AI-driven and cloud based solutions that can automatically and continuously govern access quickly, reliably and at scale.
By automating tasks such as access requests and certifications, companies can reduce the burden these processes put on their security and IT teams, increasing security while also delivering a better service for employees and unlocking meaningful time and cost savings.
By collecting and analysing identity data, AI-driven identity governance solutions can also give IT teams an enterprise-wide view of who has access to what and why thereby eliminating the blind spots that allow identity siloes to develop and persist.
The time is now to take identity governance seriously
As businesses plan for the choppy economic waters that lie ahead, it seems certain that layoffs, restructuring and employee churn will continue to be high on the agenda in most boardrooms.
At times like this, it is easy to overlook the impact these changes can have on data security but entitlement creep and identity siloes are major threats that will only be exacerbated by a reliance on inefficient, manual processes for managing employee access. The solutions to these challenges do exist, but businesses have to act now to eliminate these vulnerabilities.
About the Author
Peter Baker is Chief Product Officer at ForgeRock. ForgeRock®, the leader in digital identity, delivers modern and comprehensive Identity and Access Management solutions for consumers, employees and things to simply and safely access the connected world. Using ForgeRock, more than a thousand global customer organizations orchestrate, manage, and secure the complete lifecycle of identities from dynamic access controls, governance, APIs, and storing authoritative data – consumable in any cloud or hybrid environment. The company is public, and headquartered in San Francisco, California, with offices around the world.
Featured image: Andrii Yalanskyi