It’s September 1, 2022, and Jay is starting at his new job. On his first day, his employer asks him to get his own keys cut to access the company building and his offices, writes Julia O’Toole, pictured, CEO of MyCena Security Solutions, an encrypted access management product company.
Jay walks out wondering what is happening. How will his new employer know how many keys he is getting cut, which doors he is getting keys cut for, or if he is going to hand them out to all his family and friends? He won’t. But, Jay is free to do whatever he wants. Of course, this scenario sounds ridiculous and unlikely to ever happen.
Yet it does happen, every single day, within enterprises. That scenario actually sits at the heart of the biggest loss of data control in modern history.
Every time an employee creates a password in the digital world, the enterprise loses control over its network access and data. Hence letting employees make their own digital passkeys across the whole IT infrastructure results in a complete loss of enterprise access control, with no visibility when those credentials are shared, stolen, sold, written down or phished.
The bad news is cybercriminals are taking advantage of this loss of access control, with data from the 2022 Verizon Data Breach Investigations Report revealing that compromised credentials play a part in over 82 percent of breaches.
You can die trying to solve the wrong problem
A lot of those breaches would be completely avoidable if only organisations had better control over their network access. Unfortunately, for years, organisations were looking at the wrong problem. For them, employees were responsible for the company’s security. So, they spent money training employees on how to make strong passwords and avoid getting phished, rather than take back control of their own access by not letting employees make their own passwords.
Then to counter the risks of employees forgetting and reusing passwords, organisations turned to single access solutions to remove access security layers for anyone who passed the first door and offer a seamless user experience. What they didn’t realise is that while this removed cumbersome security checks, it also offered attackers a faster track to the crown jewels. Through the use of one set of valid credentials, attackers could now move laterally inside the network, collect confidential information, escalate privileges to find the keys to the kingdom and take control of the network.
From there, attackers can either steal the data and sell it on the dark web, extort money from the organisation in exchange for not publishing their data, encrypt their files and ask for a ransom to decrypt, or use a combination of the three. Following the current trajectory, the fundamental flaws of this “cybersecurity” construction threaten not only organisations’ own survival, but also their supply chains’.
So, just what is the solution?
How to regain access control: Encrypt and segment access at the same time
In reality, to solve credential-related security breaches comes down to organisations regaining control over their networks, where the responsibility for access control is removed from users and passed back to the enterprise.
One of the easiest ways to do this in the digital world is using access encryption and segmentation, where companies automatically generate and distribute encrypted access credentials to employees in a digital fortress that only the right user can access. Because credentials are encrypted, employees do not know their passwords. The credentials are not stored in the same level but in different levels depending on the sensitivity of the account, yet giving them access to everything they need. This offers seamless employee access alongside major improvements to security.
Employees not knowing passwords means they cannot give out their logins and passwords during phishing attacks. They can also be as long as needed and you can have as many passkeys as you have digital doors, effectively re-establishing access segmentation.
With every access point having different credentials, even if an attacker did manage to get access to a network, they could not travel as every doorway is independently locked and encrypted. This defence-in-layers approach prevents criminals from using lateral movement and privilege escalation to take over a network after an initial breach.
Organisations: Take back control of your digital kingdom
For most organisations today, their digital world has become far more valuable than their physical locations, yet the doors to their digital networks are the easiest to attack.
As technology progressed, their security regressed to the point they can now lose everything built so far. But with access encryption and segmentation, organisations are able to take back control over their access, data and business, effectively closing their doors on attackers who can no longer steal their user credentials and move laterally.
This in turn drastically improves their security and makes them much more difficult targets to attack, while giving them long overdue cyber-resilience.
