Your employees’ corporate accounts are the doorways into your organization’s data vault, and your employees’ credentials are the keys. Unfortunately, we as a global workforce aren’t very good at keeping those keys safe, and that leaves those doors wide open to attackers trying to access our data.
But just how common are these attacks, and what does that mean for your organization?
We’ve collated the most recent statistics from around the world to help illustrate the threat of credential theft attacks, which target user identities and access methods. These stats come from third-party surveys and reports, and we’ll be updating them as new research emerges to help you stay on top of the latest figures.
The Frequency Of Identity And Access Breaches
45% of data breaches in 2020 involved hacking, and over 80% of those hacking breaches involved brute force or the use of lost or stolen credentials.
According to the Identity Defined Security Alliance (IDSA)’s study Identity Security: A Work in Progress, 94% of organizations have experienced a data breach, and 79% were breached in the last two years.
The high incident rates in recent years could be attributed to a number of factors, including the increasing adoption of cloud technologies and the increase in numbers of remote workers. Digital transformation and the adoption of cloud technologies have enabled organizations to structure themselves more flexibly and productively, but they also make it more difficult for IT teams to keep track of who is accessing what data from where, and on which device.
The increase in remote work, catalyzed greatly by the COVID-19 pandemic, has caused many organizations’ endpoint fleets to become much more diverse, as employees work from laptops, tablets and smartphones. However, remote work is also generally less secure, for three main reasons:
- Organizations that haven’t invested in strong cloud-cybersecurity tools for remote employees (including on personal devices when needed), such as MFA and email security technologies, will be at risk from phishing attacks and password cracking attempts.
- Personal or free public Wi-Fi networks can be hacked and used to install malware on devices that are connected to them without a VPN.
- It’s more difficult to maintain a “security first” mindset at home than in the office. It’s much easier to remember good password practices, for example, when surrounded by colleagues in an established workplace environment than when you’re sat at your kitchen table.
Because of this, personal devices are twice as likely to become infected with malware than their corporate counterparts. But what does that look like in reality?
Well, since COVID-19, credential theft and social engineering or phishing are the most frequent attacks that organizations have found themselves faced with. 60% of mid-sized businesses (250-5,000 employees) that had asked their employees to work remotely experienced a cyberattack in the last year; 56% of those experienced credential theft, and 48% experienced social engineering, such as phishing.
Another study, which included reports from companies with less than 100 employees through to more than 10,000, found that 90% of organizations have experienced a phishing attack since the pandemic struck in 2020, and 29% have experienced credential stuffing and brute force attacks.
However, contrary to what these alarming figures might suggest, identity breaches are not inevitable. 99% of IDSA’s respondents who’d suffered an identity-related breach believe that these types of attack are preventable. Further research shows that 44% of security professionals believe that an identity and access management (IAM) solution will address their current security gaps.
Despite this knowledge, people are clearly still falling victim to identity and access-related attacks. But who are the bad actors’ most common targets, and how are they being breached?
Identity Security Breach Methods
The key detail involved in all identity and access security attacks is the user’s login credentials. According to a recent survey, 8 out of 10 of us find password management difficult. There are a number of reasons for this, including:
- Having to manage too many accounts
- Remembering which password belongs to which account
- Being unable to remember unique passwords to each account
- Finding it difficult to create complex passwords
Because of this, a lot of us are notoriously bad at creating and using strong passwords; in fact, “123456”, “qwerty” and “password1” still consistently top lists of the most commonly used passwords. And unfortunately, the weaker the password, the easier it is to crack.
However, creating a strong password alone isn’t enough: just as important is the secure storage and sharing of your passwords. The culture of sharing passwords freely via messaging apps or email, and without encryption, makes organizations highly susceptible to social engineering attacks.
22% of hacking breaches involve social attacks, and 37% of all breaches involve the use of stolen credentials… But how do attackers steal those credentials?
Well, the two main ways are brute force attacks and social engineering, or phishing, attacks.
Brute Force Attacks
There are a number of variations on brute force attacks, which you can read more about in our guide to preventing password crack attacks but, fundamentally, brute force attacks are when a hacker programs a computer to guess their target’s password. The computer starts with the most common combinations of letters, number and symbols and works through all possible combinations systematically, character by character, until it gains access to the account.
As well as being used to target individual accounts, brute force is being increasingly used against Windows systems, as cybercriminals try to crack the username and password for a Remote Desktop Protocol (RDP) connection. RDP is a protocol that enables remote access to Windows machines. Once cracked, the hacker gains access to their target computer on that network. Between March and December 2020, the number of brute force RDP attacks reported was a staggering 3.3 billion. For context, that number within the same period the year before was 969 million.
24% of US security professionals say that their organization has experienced a brute force attack, including password spraying or credential stuffing, in the last two years. According to the same study, 66% have experienced a phishing attack – which bring us onto our next identity breach method, which is generally considered to be the most common.
Social Engineering Attacks
22% of data breaches involve phishing, a type of social engineering attack. Social engineering involves the bad actor contacting their target personally (usually via email, phone or SMS), while posing as a trusted sender. In their message, they ask their victim for sensitive information, such as login credentials, or they encourage them to click on a malicious URL or attachment. Phishing URLs usually take the target to a credential harvesting site, where they’re encouraged to enter their login information under a pretext set up by the hacker. Clicking a phishing attachment usually installs a form of malware on the user’s machine. This is often a botnet or a trojan.
2020 saw a number of breaches that involved botnets and trojans, which are largely distributed via phishing and spam campaigns. While some of these trojans are used to distribute ransomware or malware, others are used to harvest users’ sensitive data, such as their financial information and login credentials.
Trickbot is a particularly infamous banking trojan that, once successfully installed, moves laterally through a network, stealing sensitive information. Trickbot reports were at a high during the first half of the year, with 47% of reported incidents globally taking place in Q1 as hackers capitalized on the uncertainly brought about by the pandemic. However, these numbers dropped hugely during Q3 and Q4 when its operations were disrupted by Microsoft. But the disruption of Trickbot encouraged cybercriminals to turn to other attack methods. Incidents of attack involving Agent Tesla, a trojan known for its credential-stealing capabilities and generally distributed via spam campaigns, increased hugely during the second half of 2020. Q4 saw the highest number of Agent Tesla reports globally, at 46%. Similarly, Q4 accounted for 68% of the global reports of Dridex, a financial trojan that can steal credentials, take screenshots of compromised devices, and perform distributed denial of service (DDoS) attacks.
Who The Victims Are
Remote workers have always been more susceptible to identity and access-based attacks. Unfortunately, the nature of the modern workplace means that more of us than ever before are now potential targets, with two thirds of workers using a personal computer to work from home.
Remote working has increased access to critical business systems by 59% in the last year. On average, organizations today have 51 business-critical applications; over half of these (56%) are accessed via mobile devices.
Despite the risks presented by remote work, a concerning 50% of organizations don’t have a policy on the security requirements for their remote workers. 73% of workers haven’t received any cybersecurity awareness training from their employer since they began working from home. On top of that, only half of companies with BYOD policies also have a policy in place to regulate the use of personal devices, only a third provide antivirus software for personal devices. A third again do not require their remote workers to use a method of authentication. Of those that do require that their employees use authentication, only 35% require multi-factor authentication (MFA).
But why is this such a problem? Well, remote workers are often less likely to have a “security first” mindset than those working in an office, largely due to their comfortable surroundings. This pain point is particularly concerning when it comes to the lack of good password practice amongst remote employees: two thirds of workers are more likely to write down work-related passwords when working from home than they are while working in the office, and many of those storing their passwords digitally are doing so in an unsecure way: 49% save work passwords in the cloud, 51% save them in a document on their computer, and 55% save them on their phone. To gain access to these passwords, an attacker need only breach the cloud storage, computer or cell phone which, without the proper employee training and technical security solutions in place, makes it much easier for them to hack into employee accounts and access sensitive company data.
The second common target area for identity and access-related breaches is privileged accounts. Most organizations order their business systems in tiers according to the severity of the consequences should that system be breached. Privileged accounts provide administrative levels of access to high-tier systems, based on higher levels of permissions. This makes privileged accounts a lucrative target for hackers trying to gain access to critical business data.
Despite the high consequences of a privileged account breach, companies across the globe are not implementing stringent enough security measures to protect them. Only 38% of organizations use MFA to secure their privileged accounts, and 49% of organizations have at least some users with more access privileges than are required for them to do their job.
It comes as little surprise, then, that a quarter of all cybercrime victims in the US and UK have managerial positions or own a business and that 34% of identity-related breaches in the last two years have involved the compromise of privileged user accounts.
At the root of this, the main challenges when it comes to access management are:
- Lack of automation (43%)
- Lack of skilled staff (41%)
- Not utilizing available technologies (33%)
- Password management and authentication (31%)
- Detection and/or mitigation of insider threats (30%)
- Cloud migration (30%)
- Increasing use of mobile devices (30%)
The Impact Of An Identity And Access Breach
The average cost of a data breach is 3.86 million dollars. That average, however, also reflects a widening gap between the cost of a breach for organizations with more advanced security processes in place, such as incident response teams, and those with fewer processes in place. In other words, the cost of a data breach is much lower for those with a formal security architecture, but dangerously high for organizations without the proper protections.
However, financial loss isn’t the only consequence of an identity- or access-related breach. As we discussed above, these breaches often start with credential theft via a phishing attack, and that credential theft has a knock-on effect in terms of data loss. A study by Proofpoint found the following to be the main consequences of successful phishing attacks:
- Lost data (60%)
- Compromised accounts or credentials (52%)
- Ransomware infections (47%)
- Malware infections (29%)
- Financial loss (18%)
As for where that 60% comes from, according to Verizon, the top types of data that are compromised in a phishing attack are:
- Personal data.
- Internal data.
- Medical data.
- Banking data.
Let’s take a step back from social engineering and look at the most vulnerable data when it comes to breaches in general. Customers’ personally identifiable information (PII) is both the most costly type of compromised data, and the most commonly breached. In 2020, 80% of organizations that reported a data breach suffered a loss of PII. Breaches involving PII loss are much more expensive, costing on average four dollars more per stolen record than those which don’t involve PII loss.
Further research, focused on data breaches in the era of remote work, has also found that customer records are considered the most vulnerable type of data, with 55% of organizations showing concern for protecting customer records from cyberattacks. This was followed by financial information (48%), customer credit or debit card information (31%), intellectual property (28%), employee records (21%) and business correspondence (18%).
The same research found that 41% of organizations that require employees to work remotely suffered an attack compromising employee passwords in 2020. Each of these attacks have an average cost of $267,408.
Current Identity And Access Trends
For a number of reasons, the rapid shift to remote work catalyzed by COVID-19 led to a huge surge in cyberattacks, and credential theft attacks are no exception to this. In fact, since that start of the pandemic, credential theft attacks have risen by 55%.
This means that organizations are becoming more aware of the problem, and looking to invest in identity and access management (IAM) solutions. According to a survey by Cybersecurity Insiders, when looking to invest in an IAM solution, organizations prioritize ease of integration (72%), followed by end user experience (62%), and product performance and effectiveness (61%). Further features that security teams look for include:
- Ease of administration (59%)
- Product features/functionality (57%)
- Cost (57%)
- Vendor support (55%)
Security awareness training has been another area for investment in the past year; by the end of March 2020, 73% of organizations had given their employees extra training on how to be “cyber-safe” when working remotely, with specific training targeting password and credential verification.
How Can You Protect Your Business Against Identity Threats?
There isn’t a single silver bullet solution to cybersecurity: in order to protect your corporate, employee and customer data, you need to implement a stack of human-focussed solutions, such as awareness training, which address the problem at an employee level, and technical solutions.
Here are some of the best methods by which you can protect your data:
Create And Enforce A Strong Password Policy
A password policy is a set of rules that aim to improve your company’s security by encouraging the creation of strong passwords, and the secure use, storage and sharing of those passwords. Creating a password policy is relatively easy, and costs nothing. For more information on what rules to include, take a look at our guide to creating a secure password policy.
Use A Password Manager
Password management solutions store each employee’s passwords in a personal, encrypted vault that they access via a single master password. From within the vault, employees can safely access the credentials to all of their corporate accounts, share passwords, and update weak or compromised passwords.
Password managers also feature password generation tools, which enable employees to create unique, random passwords without having to remember them.
They enable employees to access their accounts easily and securely, and they enable security teams to keep tabs on their organizations’ password health.
Enforce Multi-Factor Authentication (MFA)
Multi-factor authentication is a user verification method that requires each user to prove their identity in two or more ways before they’re granted access to an application, system or network. With MFA implemented, a hacker can’t access an employee’s account, even if they manage to steal or crack that employee’s password.
91% of organizations say that password MFA is important in order to stop credential theft and phishing attacks, making attack prevention the primary reason that people use passwordless MFA. Interestingly, this is followed by user experience, which 64% of organizations named as being a reason that passwordless MFA is important. Usability is often said to take a back seat when it comes to security, but the majority of respondents in this survey prioritized a user-friendly interface. This could be due to the fact that a solution that’s easier to use will reduce help desk tickets and enable the freeing of IT and security resources. Other reasons given for the importance of passwordless MFA include achieving digital transformation (21%) and saving costs (14%).
Enforcing MFA involves ensuring that employees using BYOD devices have enabled their devices’ basic security features, such as a PIN or a fingerprint scan.
Invest In Privileged Access Management (PAM)
Privileged access management solutions enable organizations to monitor and control the access and activity of their privileged users. This includes who has access to which accounts, as well as what users are allowed to do once logged in. PAM keeps privileged accounts secure by ensuring that only the correct, and verified, users can access accounts based on their roles and responsibilities.
As we discussed above, privileged accounts are one of the most lucrative targets for hackers, thus the most commonly targeted of employee accounts. It’s crucial that you keep these accounts secure.
Install Endpoint Security On Employee Devices
Endpoint security solutions use a combination of firewalls, anti-malware and device management tools to protect your network against malware and viruses that could be used to harvest your employees’ credentials.
These solutions covers all of the endpoints connected to your network, including servers, PCs, mobile devices and IoT devices, and admins can manage the solution centrally, making it easy for them to identify and monitor the health and risk level of all devices connected to the network at once.
Endpoint security solutions tend to be designed for larger organizations and those with a number of remote or BYOD endpoints; if you’re an SMB that doesn’t have a complex network architecture, and you’re looking for a product that will protect your endpoints against viruses and malware, you should look at investing in an antivirus software solution.
Train Your Employees
In the past year, only 34% of organizations with a “forward-thinking” security culture have had an identity-related breach in the past year. One of the best ways to cultivate a culture of security is by teaching your employees how to be vigilant and preparing them to identify and respond to threats.
Security awareness training solutions combine engaging training materials with active attack simulation campaigns in order to transform your employees from potential weak links into a robust line of defence against cyberattacks. The majority of these solutions focus specifically on phishing awareness training, but some also include modules on a wider range of security topics, such as how to work from home safely.
71% of organizations that have suffered a data breach in the past year say that better security awareness training for users could have prevented the breach. Take steps to become proactive in your security implementation, rather than reactive like that 71%.
Invest In A Secure Email Gateway (SEG)
Secure email gateways protect your employees against phishing attacks by monitoring their inbound and outbound emails and scanning them for threats. The SEG blocks or quarantines any suspicious communications, so that they’re never delivered to their intended victims.
Email gateway solutions also expose account compromise, helping you to identify and prevent business email compromise (BEC) attacks, which attackers can use to steal credentials by posing as a company insider.
Want to find out more about how you can protect your data against identity and access threats? Check out our buyers’ guide to the top identity and access management solutions that will help you defend against credential theft.