Organizations woefully underprepared for identity surface threats, survey finds

It’s not a secret identity if it’s exposed—and that’s just what’s happening to organizations across the globe.

A Sept. 6 report from Silverfort—titled “The State of Identity Security: Insights into Critical Protection Gaps”—found the identity attack surface has weaknesses, and organizations are failing to take proper action to address threats before it’s too late.

The identity attack surface is opening avenues of exploitation for threat actors, and they’re taking advantage of it: The study found that 83.2% of respondents reported that compromised credentials had been used to access their systems, and nearly one-half of the attacks happened in the last 12 months.

Security maturity levels play a role in assessing how prepared an organization is for attacks, and Silverfort’s analysis indicates that 41% are in the “opportunistic” second level, where security is more reactive; 26% were in the third tier, “identified and defined,” showing that their systems have medium confidence to stop attacks. Only 6% of respondents were on the fourth level, “disciplined and implemented;” conversely, 27% of respondents were on the first and lowest level, “chaotic,” showing there’s a lot of work yet to be done.

Silverfort found that organizations lack security in their service accounts—accounts used by systems to interact with other systems—with only 5.7% of those polled reporting they have full visibility. This lack of access to these important accounts means that 78% of organizations can’t stop malicious use of the accounts while it’s happening—a major security flaw.

But even the solutions at hand are running up against internal challenges. Multifactor authentication, as IT Brew previously reported, is fast becoming an essential part of the cybersecurity landscape across all levels of organizations. Yet Silverfort found that 65.4% of organizations have not sufficiently implemented the login process.

The researchers polled 637 IT professionals in identity roles at organizations with more than 1,000 employees in May and June 2023.

About a third of respondents represented each of three main roles: identity architect; identity infrastructure manager; and IAM manager, director, or head. A little over half were from the US, and most others were from Germany, France, the UK, and Australia. Singapore had the smallest number of respondents in the survey.