Member Article

Immature Identity and Access Management programmes leave companies vulnerable to identity-related security incidents

Ponemon Institute finds only 16% of enterprises have fully mature programmes; 56% average three identity-related data breaches in last two years

Saviynt, a leading provider of intelligent identity governance solutions and Ponemon Institute today released the inaugural State of Enterprise Identity research report. The findings emphasise the modern identity security challenges that enterprises face in the digital era, and underscore the importance of comprehensive Identity and Access Management (IAM) strategies to dramatically reduce security risks that often lead to costly data breaches, cyber attacks, and regulatory compliance missteps.

According to research findings, only 16% of respondents (and just 15% of EMEA-based respondents) have a fully mature IAM strategy in place, which is characterised by fully operating programmes, skilled workers, and C-level and board executive awareness. The remainder are currently dealing with inadequate budgets, programmes stuck in a planning phase, and lack of senior level awareness.

As IAM programmes fail to get off the ground, the number of digital identities continues to skyrocket, creating complex enterprise environments that require new strategies, investments, and technology to close security gaps. In fact, over the past two years, more than half (56%) of respondents claim their business had an average of three data breaches or other access-related security incidents. Further, 52% of these respondents claim the breach was due to lack of comprehensive identity controls or policies.

“We’ve found that most enterprise IAM programmes have not achieved maturity, leaving companies struggling to reduce identity and access related risks,” said Jeff Margolies, Chief Strategy Officer, Saviynt. “Our research findings should serve as a wake-up call to C-level executives and security leaders: the absence of a modern IAM programme fuels the risk of rising identity and access-related attacks, and their financial consequences.”

Limited visibility and inadequate controls have become the new normal

Enterprise-wide visibility is critical to reducing risks in privileged user access yet today’s complex enterprise ecosystems only impede transparency. According to findings, only 35% of respondents are confident that they can determine privileged users are compliant with policies. That same percentage (35%) have high confidence in the effectiveness of current security controls preventing internal threats involving the use of privileged credentials. The number one reason for lack of confidence in achieving visibility of privileged user access is stated by 61% of respondents, citing that they cannot keep up with the changes occurring to their IT resources.

Beyond the lack of confidence in user access controls, there are compliance and regulation issues to address. Data shows that 46% of respondents (and 43% of those in EMEA) say their business failed to comply with regulations because of access-related issues. Beyond lawsuits and fines, many victims have suffered from loss of revenue, customers, and reputation, but almost two-thirds of respondents (64%) say downtime was the biggest consequence of compliance failures.

“While these numbers certainly raise concerns, our research also shows that many organisations are recognising the benefits of a converged identity platform, which combines multiple identity management capabilities into a single cloud solution to unify controls, improve visibility, and reduce risk. In fact, 71% of respondents are actively considering, or plan to adopt, converged identity governance & administration (IGA) and privileged access management (PAM) solutions to reduce costs and provide frictionless access to enterprise resources,” continued Margolies.

**Additional key report findings: **

EMEA organisations behind the curve on IAM EMEA organisations are slightly behind their US counterparts; only 15% describe their approach to IAM as mature 42% of EMEA respondents admitted inadequate ID controls and policies had caused compliance failures Compared to US organisations, EMEA-based companies are less likely to face lawsuits (19% vs 36%) or regulatory fines (23% vs 32%) as a result of non-compliance, but they are more likely to lose customers (54% vs 45%) Automation can ease the identity management burden 56% claimed that granting and enforcing privileged user access rights required too much staff to monitor and control 51% are unable to keep pace with the number of access change requests The power of the cloud (and IAM) 52% say their organisations’ cloud transformation programme is already integrated with their IAM strategy 51% have seen an improvement in their IAM effectiveness Remote & hybrid workers still present security risks Only 28% of respondents say their organisations are determining if remote workers are securely accessing the network 37% report the number one step to secure the hybrid, remote workforce is screening new employees

The study was conducted by Ponemon Institute on behalf of Saviynt and includes responses from more than 1,000 IT and IT security practitioners in the United States (627) and EMEA (416). These participants are knowledgeable about their organisations’ programmes and solutions used to mitigate cybersecurity, identity & access and compliance risks.

This was posted in Bdaily's Members' News section by P Adams .