The Sarbanes-Oxley (SOX) Act of 2002 is just one of the many regulations you need to consider when addressing compliance. Also called the Corporate Responsibility Act, SOX may necessitate changes in identity and access management (IAM) policies to ensure your company is meeting the requirements related to financial records integrity and reporting.

 

What is Sarbanes-Oxley (SOX)?

SOX was passed in July of 2002 in response to a rash of incidents resulting from malpractice in accounting. The regulation added to existing guidelines and included “reforms to improve financial disclosures from corporations and prevent accounting fraud” with the aim of protecting investors from “fraudulent accounting activities.”

All publicly traded companies located or doing business in the U.S. are subject to SOX regulations. The act:

• Increases corporate responsibility for financial reporting
• Establishes new accounting guidelines
• Mandates protections against accounting fraud
• Imposes more serious punishments for noncompliance

Records collected and stored by companies affected by SOX are subject to a number of protocols intended to increase accuracy in reporting and discourage unlawful falsification and destruction of records. With strict rules governing financial reporting and how long records are stored, SOX changes the way many businesses approach accounting.

SOX Compliance Requirements

The first step in SOX compliance is to establish an “accounting framework” to create verifiable paper and data trails for all financial activities. Every action with the potential to affect financial reporting must be traced and documented as proof of compliance, including changes made to financial and accounting software.

In addition, companies must establish internal controls designed to prevent fraudulent activities and reporting. CEOs and CFOs are required to personally certify all records as “complete and accurate” in accordance with section 302 of SOX, affirming they’ve reviewed the controls at least once in the past 90 days.

Section 404 outlines the requirements for monitoring and maintaining controls. Using a framework like COBIT, companies must conduct an annual audit to determine how well the controls are working. and report the results directly to the Security Exchange Commission (SEC). All audit records, whether physical or digital, must be kept on file for no less than five years.

Should a security breach compromise finances or records, SOX regulations require affected companies to report the incident as soon as possible.

Risk of Noncompliance

Failure to comply with SOX can incur serious penalties. Company executives who certify false reports can be fined up to $1 million for each instance, sentenced to up to 10 years in jail or both. Willful certification of false reports carries a fine of up to $5 million, a jail term of up to 20 years or both. The severe nature of these penalties drives home the importance of having strong security measures, especially since a single accounting error can compound and create several inaccurate reports if it isn’t caught in time.

How Does IAM Relate to SOX?

Because both physical and digital records are affected by SOX, access management is an integral part of compliance. When the act was first passed, many businesses weren’t yet dealing with the complexities of connectivity seen in modern enterprises. However, the requirement to put “adequate internal controls” in place for “financial reporting and governance” extends to IT, especially in environments where multiple device types connect to the corporate network from a variety of locations and a great deal of information is handled in the cloud.

Strategic IAM practices control several factors with the potential to affect financial reports:

• Insider threats
• Data breaches
• Human error

By automating activities such as user provisioning and deprovisioning and implementing granular conditional access controls, companies minimize the risk of unauthorized access and reduce instances of privilege creep. Assigning identities to devices makes it easier to control how and where employees access corporate networks, helping prevent some of the problems associated with establishing and enforcing BYOD policies.

Business IAM solutions also include automatic logging and reporting tools so that clear reports can be generated for every audit. Since corporations tend to have large numbers of employees with various levels of network access, automated logging and report generation are essential for SOX compliance. Without these tools, it would be nearly impossible to track the actions of every user and every device, and suspicious behavior could escape notice long enough to cause serious problems.

All digital security policies, including IAM, should be evaluated for efficacy as part of the annual SOX compliance audit.

Access Management Controls

For SOX compliance, organizations should keep the following access management areas in mind:

  • Manage access rights during on-boarding, role changes, off-boarding
  • Ensure Segregation of Duties (SoD)
  • Maintain access control matrix
  • Perform periodic access audits
  • Automate reporting

Staying in compliance with regulations like SOX is important for the safety of your company and the data you handle. If you haven’t yet put measures in place to ensure compliance in regards to financial records and reporting, work with your IT department to develop an IAM strategy designed to minimize errors, prevent unauthorized access and secure all records during transmission and storage.

Read additional articles in our IAM blog.

The increasing number of connected technologies used by businesses and consumers is creating more points of data vulnerability. Each new endpoint provides a potential “in” for hackers and increases the risk of identity theft from data exposure.

Business owners must recognize the growing identity theft threat to their companies, employees and customers and take steps to mitigate the risks and ensure personal data stays out of the hands of malicious third parties.

More Technology, Greater Risk

The vision of a completely connected world, once realized only in science fiction, is quickly becoming a reality. Internet of Things (IoT) technology forms an expanding web of devices in constant communication with each other and with a variety of networks. This connectivity permeates every aspect of business and personal lives and has greatly increased the risk of identity theft.

According to a survey by The Harris Poll, almost 15 million people had their identities stolen in 2017 and experienced nearly $17 billion in total losses. The Consumer Sentinel Network lists identity theft as the second most common reason for fraud reports, surpassed only by debt collection fraud.

Why are connected technologies of particular concern when considering identity theft risk? IoT devices constantly collect and send data about users, including intimate details most consumers never realize they’re sharing. Modern hackers have access not only to identifying information but also may obtain data about individuals’ personal lives, right down to their fitness habits, the groceries they buy most often and even rough maps of their homes.

Today’s Biggest Threats to Identity

Although the Federal Trade Commission lists employment and tax fraud and credit card fraud as the two most common forms of identity theft, account takeovers are becoming more attractive to modern hackers. More connectivity means hackers can gain access to a larger database of information and launch more widespread attacks using a single set of stolen credentials.

In the 1,597 data breaches recorded by the Identity Theft Resource Center in 2017, hackers gained access to users’ names, social security numbers, birthdates and driver’s license numbers, all of which can be used to impersonate an individual or mine for more data. However, to steal an account, all a hacker needs is a user’s login information and a strategy for flying under the radar when committing fraudulent acts.

The risks associated with this type of identity theft are seen in the increasing popularity of online fraud, especially in the realm of online payments. Over 80 percent of credit card fraud is now committed in “card not present” situations, such as the use of digital payment gateways. Electronic Health Records (EHRs) are also popular targets, although hackers seem to be developing a greater interest in social security numbers when obtaining user data.

Business Identity Theft?

Individuals aren’t the only ones at risk. Businesses can also fall victim to identity theft. Both the high volume of activity and large transactions occurring at the corporate level attract hackers looking for big payouts. Unlike in data breaches, however, hackers committing business identity theft don’t infiltrate a network to steal information. Instead, they impersonate the identity of a business to commit fraud.

Businesses of all sizes are susceptible to this form of identity theft, but small businesses may be at a greater risk due to a tendency to ignore potential threats. Over half of small businesses have no concept of their level of risk from cyber attacks, and 58 percent fall victim to malware as a result. Business identity theft can affect credit score, cash flow, tax filings and brand reputation.

Strategies to Safeguard Identity

Business owners and corporate IT specialists must be aware of the risks associated with the unique nature of their onsite networks and the ways in which employees and customers connect to and interact with these networks.

Identity theft “red flag” risk assessments and routine security audits reveal points of weakness and the need for stronger safeguards and better access management polices. Using information gathered from these assessments, businesses should:

• Invest in updated security software designed to handle connected technologies
• Consider incorporating machine learning into security protocols
• Review and update access permissions
• Implement data encryption tools
• Establish protocols for user provisioning and deprovisioning
• Create policies limiting which company details can be shared publicly
• Continually educate employees on how to minimize risk

Securing internal networks with these tactics closes many common loopholes hackers use to access personal information and helps to protect businesses, employees and customers from the devastating consequences of identity theft.

Although the rapid spread of new technologies is putting personal information at greater risk for theft, business owners can take steps to increase security and protect proprietary and consumer data. Technology will continue to shift and expand, and diligent awareness of threats is essential to preserve data privacy and prevent identity theft.

ncidents of call center fraud are on the rise according to various call center fraud reports. This is partly due to the migration of scammers from online channels, where breaches are becoming more difficult to commit, to the largely unprotected and vulnerable environment of call centers.

The evolution of authentication has been somewhat slow across organizations when compared to the fast changing technology and cybersecurity threat landscape.

The increasing complexity of systems is leading to a need for more secure authentication methods. Although passwords are a ubiquitous form of verification, allowing users to access applications and perform actions within a system, there have always been problems with this method. Creating secure passwords and managing them properly is difficult when users have dozens of different accounts and log in from multiple locations throughout the day.

The evolution of authentication by Identity Management Institute

An answer to the problem may be found in password-less authentication methods. According to a survey by Wakefield Research, 69 percent of organizations are considering phasing passwords out in the next five years, opting instead to take advantage of passwordless models to increase security and make logins easier for both employees and customers.

Basics of Passwordless Authentication

The idea of a passwordless authentication model is straightforward. Instead of entering credentials consisting of a username or email address and a password, users verify their identities with an alternative method. The change is meant to address the problem of passwords standing in the way of reliable security, workflow efficiency and even customer retention.

Options for password-less authentication include:

  • Biometrics – Already in use in smartphones and other devices, biometric logins consist of a unique biological identifier, such as a fingerprint. However, until biometric technology improves, this may not be the most secure choice unless combined with other options.
  • Email – Upon entering his or her email address, an existing user is sent an email with a verification link. Clicking the link completes authentication and allows access.
  • Token or one-time code – Instead of a link, users receive a token or code they then enter into the website or application. This code is attached to every action taken during a session and decrypted as users interact in real time before being destroyed when the session is terminated.

These new authentication options eliminate the need for passwords and the potential security risks associated with poor password management.

Passwordless Authentication Benefits

Getting rid of a familiar form of identification to increase security may seem counterintuitive, but passwordless authentication has the potential to increase security for both your customers and the users within your organization. Making the switch addresses common problems with password security:

  • Weak passwords
  • Poor password management
  • Accidental use of default settings
  • Using the same password for multiple accounts
  • Not changing passwords regularly

Many of these issues result from “password fatigue,” which is experienced by users asked to create passwords for every website and application they use and enter these passwords numerous times throughout the day. This often leads to apathy in password creation and can threaten system security.

Passwordless authentication is also more convenient. Customers don’t like juggling logins for dozens of sites and tend to abandon those requesting the creation of yet another account. Employees required to log into multiple applications during the course of standard workflows are less efficient, and tasks slow down even more if a password is forgotten and needs to be reset. When no passwords are required, all users enjoy a more seamless experience.

Passwords Elimination in the Evolution of Authentication

Password fatigue explains the phenomenon of passwords becoming weaker as a user is asked to create more accounts. After a while, users no longer care if the password is secure and will use anything just to be able to gain access. This can create a serious security problem in your system. Weak passwords, use of default login options and stolen credentials account for 63 percent of breaches (Verizon). If even one customer’s account is hacked, all the data stored by your company is at risk. The same is true for employee accounts across critical business applications.

Customer retention rates are also affected by password fatigue. Seventy-five percent of customers stop using a service or website if they need to perform a password reset, and 30 percent abandon their hopping carts if checking out requires account creation. This is of particular concern when it comes to first-time or one-time customers. You could lose out on lucrative sales during popular shopping seasons or drive away customers who may otherwise have become loyal shoppers if you don’t have an alternative way for them to log in.

In addition to these considerations, your organization could benefit from passwordless authentication if:

  • Employee password management is poor
  • Workflows continue to hit bottlenecks due to excessive login requirements
  • Your system network is expanding to include more applications
  • A significant number of customers are abandoning carts at checkout
  • Password security problems have led to breaches in the past

There may be some situations in which it makes sense to retain the use of passwords or use a method like multi-factor authentication instead. Base your decision on your company’s needs and the unique security requirements of your network.

Passwordless Model in the Evolution of Authentication

If you decide to make passwordless authentication part of your security protocol and authentication evolution, the first step is to research the options to find a reliable provider. Request demos from vendors to see how the authentication process works, and get all the details you can about the security of the process.

Implementation details are specific to providers, but your chosen vendor should work with you to help you set up your passwordless login system. Let all users, both employees and customers, know you’ll be making the switch, and provide clear instructions for use of the new system.

Once passwordless authentication is in place, monitor performance to determine if it delivers the desired results. You should see a drop in shopping cart abandonment on the customer end and an increase in workflow efficiency for your employees.

The rise of passwordless authentication may usher in a time when no system or application requires a password for access in the evolution of authentication. Companies looking to streamline workflows, update security and offer an alternative to customers experiencing password fatigue can benefit from switching to passwordless options. Since changes in technology inevitably bring new security concerns, it’s time for organizations to start adopting alternatives to outdated authentication methods and bring identity management strategies up to date.

Visit our blog for more articles.

The identity and access management (IAM) landscape is always changing, and staying on top of the latest news can help you protect yourself and your business from vulnerabilities. From major market expansion to the latest attack on Facebook, here’s what you should know about IAM this month.

$14.82 Billion IAM Market Share Predicted

By 2021, the global market share for IAM is expected to exceed $14.5 billion in U.S. dollars, representing a compound annual growth rate of 12 percent. This significant jump reflects growing security concerns as companies adopt more cloud-based applications and continue to invest in SaaS solutions. An increasing awareness of compliance requirements is also driving the market as regulations are updated.

Facebook Breach Blamed on Access Token Error

Facebook’s latest breach affected an estimated 30 million users, but it was neither complex nor sophisticated. Personal information, including check-ins, searches, contact information and profile details, was stolen from 14 million accounts, and contact information from an additional 15 million accounts was also compromised.

Hackers gained access to data through a simple flaw involving video previews. When users chose to view a birthday video using Facebook’s “View As” option before posting it to their profiles, right-clicking to obtain the source code for the page revealed an access token for the user from whose perspective they were previewing. Hackers were able to scrape access tokens for millions of users by exploiting this vulnerability,

Facebook says the problem was fixed as of September 27, but as with any breach, users should continue to exercise caution.

Malware Remains Most Popular Attack Method

According to research by Positive Technologies, the frequency of malware attacks dropped from 63 percent to 49 percent between Q1 and Q2 this year. However, attacks involving compromised credentials increased from seven to 19 percent.

Malware is still the most popular form of cyberattack and can be used to steal credentials for use in more sophisticated or extensive breaches. Targeted attacks executed for the purpose of extorting money from companies or stealing valuable data are still common, meaning you need to be diligent across departments in your company. A single phishing email, compromised file or infected employee device can provide an open door for hackers to undermine your IAM framework.

Federated Identities May Give Way to Consolidated Identities

The current trend in using federated identities may need a makeover to keep up with the complex security concerns and requirements of modern businesses. A federated identity allows a user to log into multiple services with one set of credentials, such as when you access a third-party website using your Facebook or Google account. A federated identity supplies a single key for cross-domain interactions and interactions between software platforms from different companies, allowing users to access a variety of services without the need for all providers of these services to use the same kind of authentication technology.

Consolidated identity is being proposed as the next wave of IAM within enterprises. Currently, employees using multiple tools to do their jobs likely have to log into each platform with a separate identity. Doing so creates a distraction, slows down workflows and makes it difficult to work efficiently. A consolidated identity combines access rules and authentication protocols to allow access across siloed services based on a user’s needs and security level. This aggregation of access rights can greatly improve time management and increase productivity.

Google Introduces New IAM Tools

Identity management and security is an increasing concern as the adaptation of cloud platforms becomes more widespread and companies are beginning to rely on a greater number of cloud-based applications for daily business tasks. Google recognizes the complex issues involved in enterprise IAM and has been working on new tools to improve cloud security.

“How do we rethink identity in a cloud-based world?” was the question posed by Karthik Lakshminarayanan, Google’s director of product management. The company is answering the question with:

  • Cloud Identity for Customers and Partners (CICP), a tool to add IAM to apps for better security
  • Secure LDAP to allow for seamless access to access both new and legacy applications
  • Cloud Identity-Aware Proxy (IAP) for context-aware access, making it possible to control data and application access based not only on credentials but also the context of a request
  • Location restrictions for the Google Cloud Platform to prevent the unauthorized creation of resources in specific offsite locations

Some tools are still in development, and others are being finalized to help make IAM easier for businesses working with sensitive data in the cloud.

Continue to monitor the latest IAM news and read new articles to stay on top of industry changes and get alerts regarding security concerns. New product and service releases and innovations from big players in the industry can transform your approach to IAM and ensure better security for the future. And, don’t forget to get certified.

Companies failing to follow proper employee offboarding measures are at risk for data loss, cyberattacks and other malicious activities. Regardless of the reason for an employee’s exit, offboarding is an essential part of the transition process. Protect your system and all sensitive data with these six critical identity management procedures.
employee offboarding best practices

Collect All Company-Owned Devices

Company-issued smartphones, tablets, laptops and other devices should be turned in before an employee leaves for good. These devices not only contain sensitive information but also represent a significant monetary investment. Be sure to collect all other items used for data transfer and storage, such as memory cards and flash drives, to prevent confidential information from leaving the premises.

Retrieve keys and security cards to ensure employees can’t gain physical access to the building once their tenure is over. Being able to get in and out of the office without checking in or making an appointment literally leaves the door open for serious breaches if the conditions of departure are less than cordial.

Terminate Personal Device Access

If your business has a BYOD policy, employee-owned devices may retain information, applications and other company assets. Removing data and programs pertaining to company activities is a key part of offboarding. Even if no ill will is intended, employees can easily walk away with proprietary data on their personal smartphones, tablets, laptops and external storage devices. If passwords were stored using tools on any of these devices, hackers could gain access to your system with stolen credentials long after an employee has left the company.

Revoke Network Access

The identity and access management (IAM) solution your company uses should have tools for managing the entire employee
lifecycle, including offboarding. When the time comes to remove a user from the system, take advantage of these tools to completely eliminate the employee’s unique

identity. Don’t be tempted to reuse the account with different login credentials for the next person taking over the position. A new employee may not need the same level of access even if he or she performs similar duties, and rolling accounts over may cause problems with “privilege creep,” in which an employee accumulates more access rights than necessary to perform his or her job.

Access to company applications and third-party cloud-based programs used by your business for communication and collaboration must also be revoked. Change any common passwords for these applications or other system tools, and make sure related apps are wiped from personal devices. If an employee-owned device has its own identity within your system, remove this privilege when the person leaves.

IAM software makes network access management much easier by centralizing all information about each employee’s credentials, level of access and privileges so that you can be sure all points of vulnerability have been addressed and don’t have to search through every application to terminate access.

Remove Employee Data from Systems

Once access has been revoked, make sure the names of employees who no longer work for your company don’t show up on contact lists, in meeting rosters or as the primary contacts for projects. Forward all communications from terminated employee accounts to a manager or supervisor, and communicate clearly with other employees to ensure everyone is aware who has been offboarded and who is responsible for picking up their tasks until a new hire is made.

Follow a Set Procedure Every Time

Go through the same steps with each employee you offboard. Adhering to a plan ensures you don’t miss any critical actions and greatly reduces the risk of disgruntled employees wreaking havoc once they’ve left. Employees in good standing are saved the potential embarrassment of and backlash from accidental data leaks. Create a checklist of best practices, and follow it to the letter to keep your company and your employees safe.

Keep Records

Compliance is an important issue for any business handling sensitive information, interacting with clients and customers or conducting transactions. You may be subject to additional compliance rules depending on the industry in which you operate. Proper offboarding is necessary for compliance, especially in cases where the information you store could be stolen, sold or publicly distributed by employees with malicious intentions.

If your IAM solution doesn’t already keep detailed logs, enable the option or upgrade to a system with this capability. Logs can be used in the event of a compliance audit to prove you followed your offboarding procedure correctly and no loose ends were left to create vulnerabilities. Furthermore, logs are necessary for any critical investigation as a result of security policy violations and data breach cases.

Following the same offboarding procedure with every candidate reduces the risk of accidental or deliberate data theft and eliminates as many points of vulnerability within the system as possible. Make offboarding part of the process of managing the employee lifecycle to avoid the potential for serious security problems down the road.

In the ever-changing IoT landscape, things now have identities. With the number of connected IoT devices set to reach 75 billion by 2025, having a strong identity and access management (IAM) policy is more important than ever. IoT technology is now an integral part of the business world and may represent as much as 6 percent of the global economy in the near future. Such rapid expansion in the network of devices connected to the systems within your business requires a new approach to access and security.

Identity and Access Management in an IoT World

What once involved keeping track of one identity per user within a network has evolved into a complex web of monitoring and managing the interactions occurring between users and devices both onsite and in remote locations. Further complications can arise from transient access, in which devices connect to the network only part of the time and may or may not be running in privacy mode when they do. Each device is associated with its user’s unique identity, but the device itself is able to communicate with other devices, and perform actions such as access and transfer data.

This pivotal shift comes at a time when companies are still trying to get a handle on IoT technology and implement identity management protocols capable of handling the unique combination of corporate, employee-owned and remote devices connecting to their networks every day. Each new device creates additional points of vulnerability, and the more complex the web of connectivity, the more robust the related security measures need to be.

Whereas IAM used to require only associating a user with a device, it now must also bridge the gap between devices and networks or systems. This necessitates a fresh approach to identity management to prevent a situation in which device use gets out of control and creates security gaps your current protocols can’t handle.

Say Hello to the Identity of Things

A new concept known as the identity of things (IDoT) has arisen to describe the relationship between IAM and IoT. As the nature of connectivity changes, IDoT offers solutions for handling new types of digital interactions by proposing unique identities for the devices themselves. This essential evolution of IAM makes it possible for your company to handle not only the employee lifecycle but also the lifecycle of every device requiring access to your network.

To properly control access for both users and devices, a modern IAM protocol must take into account the kinds of data each device will access, handle or store as it interacts with other devices and programs in a network. Each device needs to be integrated into the network to facilitate seamless communication regardless of device type, manufacturer or operating system. Requiring device registration and creating specific protocols for transient devices helps to prevent unauthorized data access and makes it possible to monitor for unusual behaviors across the network. When sensitive or proprietary data is involved, you also need to consider what data manufacturers collect when monitoring device performance and put in place to protect against accidental access to confidential information.

The Future of the Internet of Identities

The expanding network of connected “things” with their own identities is creating a new landscape for IAM in which users control devices with collections of attributes and the ability to carry out multiple functions within a network. Dubbed the internet of identities (IoI), this matrix of connectivity presents fresh security challenges requiring:

  • Employee training and background checks to ensure device security;
  • Detailed protocols dictating when and how data can be accessed by specific devices;
  • Privacy and security rules to govern inter-device communications and connections;
  • Updated security protocols and standards;
  • Use of behavioral analytics to detect unauthorized access attempts; and
  • Centralized IAM and security procedures to prevent bottlenecks and preserve open communications.

With these changes, identity management will increasingly focus on securing the relationships between connected devices to allow businesses the freedom to take advantage of IoT technology without falling victim to the vulnerabilities inherent in such a system.

As IoT connectivity continues to evolve, businesses without a robust approach to IAM and device security will become more vulnerable to cyber-attacks. Prevention is the best approach, which requires getting a handle on the current state of device use within your company and preparing for a steady increase in the use of IoT technology over time.

Getting ready for changes in IDoT and IoI today will make it easier to comply with new protocols and standards as they’re developed and released. IoT is set to have a $3.9 trillion impact globally by 2025, so implementing smart identity management strategies now has the potential for big payoffs in the future. An updated security policy and a solid training plan for employees prepares your company to step into the future of IAM with the lowest possible level of risk.

Visit the blog page to find another article.

Every time organizations hire a new employee, he or she needs access to essential information, apps and processes to successfully perform daily tasks. With the cost of data breaches at $4 million per incident and businesses losing an average of $158 for every stolen record, it’s crucial that organizations grant and manage access with the utmost care.

Employee identities and the information to which associated credentials allow access must be carefully managed throughout each team member’s time at your organization. Defined by Techopedia as “the full life cycle of identity and access for a user on a given system,” identity lifecycle covers every aspect of identity and access management (IAM) from the moment a person is hired to the moment they leave the company.

With constant changes in technology and the dynamic nature of employees’ access needs in the modern workplace, it’s essential to follow these 6 IAM best practices throughout the employee lifecycle.

Cover the Basics

IAM should begin with the most straightforward steps for better security:

  • Enable multifactor authentication,
  • Create and enforce a Bring Your Own Device (BYOD) policy, or consider a Corporate-Owned, Personally Enabled (COPE) policy as an alternative,
  • Update all tools, platforms and apps regularly, and
  • Encrypt all data during sending and receiving.

Proper employee training also ensures all staff members understand policies and procedures, thereby minimizing the risk of error and reducing vulnerabilities resulting from ignorance.

Start with Smart Provisioning

Role- and attribute-based access control methods assign employee access based on the minimum levels necessary to complete tasks. This makes it easier to allocate privileges to new employees. Instead of guessing what access they’ll require and running the risk of being too liberal, your system can be set to automatically assign the right level of access at the time of hiring. Real-time provisioning ensures access is available to all employees from day one. Adding a single sign-on (SSO) process streamlines the procedure, allowing staff members to use multiple apps using just one set of credentials.

Use Automatic Updating

SSO also eases the burden on your IT department when paired with automatic updating. An increasing number of apps are required to manage modern businesses, and your IT team doesn’t have the time to update provisions across apps or create new rules every time you adopt another platform.

Look for a solution designed for adding apps centrally and creating the proper provisions across all of them at the same time. As the apps you use change, employees gain instant access based on existing permissions, preventing bottlenecks in essential workflows.

Prevent Privileges from Piling Up

Privileged accounts give specific employees access to the most sensitive data and processes within your system. However, employee responsibilities change over time, and it may not always be necessary for high-level permissions to remain in place. Privilege levels must be adjusted accordingly as part of regular automatic updates. By revoking access as soon as it’s no longer needed, you minimize vulnerabilities and shut the door on hackers who target these types of accounts.

Put Up a (Geo) Fence

If your company has a team of remote employees or otherwise allows remote access to data, geo-fencing can cut down on the risk of sensitive information being accessed from the wrong places. Many employees still use public Wi-Fi connections to perform business tasks, and logging into your system while sipping a latte at Starbucks can throw the door wide open for hackers.

Geo-fencing adds another layer of protection by preventing access outside of specific locations. If you choose to implement a “fence,” make sure your access rules don’t create situations so restrictive your remote staff members can’t do their jobs.

Have a Plan for Deprovisioning

Around 49 percent of former employees log into their accounts after leaving a job or being let go. Deprovisioning prevents this type of unauthorized access by completely revoking privileges as soon as a person no longer works for your company. Like provisioning and continuous certification, deprovisioning can be automated to offload your IT department from the tedious task of revoking permissions and removing roles. This is especially important in cases where an employee’s exit was less than cordial and your company could be at risk for a malicious attack if the account remains open.

Adopting a framework for proper identity lifecycle management gives you more control over the information to which you employees have access and decreases the likelihood your company will suffer a data breach. Even in a world where BYOD and remote work have become everyday realities, following best practices for managing identity and access keeps your company safe and ensures no accounts are left open to enterprising hackers. Working with a professional can make it easier to identify weaknesses in your current systems and implement the best fixes for your business model.

Learn about audit and certification of your IAM program.

With the increasing use of cloud computing and storage and interconnected Internet of Things, as well as the growing number of systems, remote users, and large volumes of data, today’s business  environment and security risks have changed enormously and require a shift in our security mindset and practices.

As the number of systems, users, and data grows, the need for a robust identity and access management solutions and experts becomes even more important to manage accounts and their access. Specifically, privileged accounts which offer the highest level of access to a system are prime hacking targets.

Most data breach incidents prove that privileged account passwords are compromised through social engineering techniques and other means to gain access to the most valuable functions and data of a system. Sometimes, user accounts with lower level permissions are escalated after account takeover to gain privileged access. When legitimate accounts are used to access systems, the intrusion often goes unnoticed for weeks allowing hackers to obtain as much information as necessary before taking action. To protect privileged accounts, owners of privileged accounts must be properly trained to protect their account passwords, use multi-factor authentication for access, and, monitor the accounts to detect any suspicious activity.

What are Privileged Accounts

Privileged accounts are accounts with elevated access permission that allow the account owners to access the most restricted areas of the system and execute highly privileged tasks. Just like typical user accounts, privileged accounts also require a password to access systems and perform tasks.

Typical Users of Privileged Accounts

A privileged account may be used by a human or a system. Privileged accounts such as administrative accounts are often used by IT professionals to manage software, hardware, and databases. Examples of non-human privileged accounts are system accounts with special permissions to run automated tasks. Privileged account users can perform tasks such as install a software, access restricted areas, reset passwords, and make other system changes.

Why Privileged Accounts Pose a Risk

The problem with admin and service accounts is that they are often shared, used across many systems, and may use weak or default passwords which make them great hacking targets given their ease of theft, widespread use across the organization, and highly elevated access permissions. In addition, the passwords of these accounts are often shared, weak, and not changed frequently which can be stolen with many specialized tools that hackers possess. Hijacking privileged accounts gives attackers the ability to access and download an organization’s most sensitive data, distribute malware, bypass existing security controls, and erase audit trails to hide their activity.

Industry analysts estimate that up to 80 percent of all security breaches involve the compromise of user and privileged account passwords and most compromised systems go undetected for over 200 days. A major reason for the ease of password theft is that more than 20 percent of companies fail to change well known default passwords such as “admin” and “12345.” And, to compound the problem, account owners use the same password for several different accounts.

Hackers exploit these weaknesses to elevate their existing permissions, access systems, data, and key administrative functions, and, conceal their activities.

Consequences of Compromised Privileged Accounts

Privileged accounts are powerful accounts that give full access to a system. Hackers can perform malicious activities, steal sensitive information, commit financial fraud, and often remain undetected for weeks or months at a time. After attackers compromise a system, they typically use the access to observe the system for a while and learn about the activities of users. Eventually the attacker can get an accurate picture of the target systems. Depending on the motive of the attackers, they can use privileged accounts to:

  • Change system functionality,
  • Disable access for some accounts,
  • Elevate access for some accounts,
  • Steal sensitive data for fraud, ransom, or revenge,
  • Poison data, and
  • Inject bad code or malware

How Privileged Account Passwords are Stolen

Up to 80 percent of breaches result from stolen passwords. Hackers’ most preferred pathway to privilege exploitation is to steal account credentials. Hackers may use malware or social engineering to steal account information for gaining unauthorized access. Employees are typically fooled by phishing scams that ask them to click on a link, download an attachment with malware hidden inside, or enter their passwords into fake website forms. In many cases, these scams appear to be legitimate requests from an employee’s manager, company executive, or another trusted source.

High Profile Security Incidents and Statistics

  • Most companies face the threat of a data breach by a criminal group in 51% of the cases vs. 18% by a state-sponsor actor.
  • Just over 60% of breaches involve hacking.
  • 81% of hacking-related breaches leverage stolen and/or weak passwords.
  • 43% of breaches involve social attacks (including phishing, pretexting, and spearphishing).
  • 14% of breaches involve employee errors, while another 14% involve privilege misuse.
  • 51% of breaches include malware, and 66% of that malware is delivered by malicious email attachments.
  • 27% of breaches are discovered by third parties.

In a high profile incident, JP Morgan Chase discovered in 2014 that hackers were reportedly able to gain “root” privileges on more than 90 of the bank’s servers, which meant they could take actions including transferring funds and closing accounts. Hackers stole names, addresses, phone numbers and email addresses as well as internal information about 76 million persons and 7 million small businesses.

Privileged Account Management (PAM) Tips

  • Identify privileged accounts,
  • Decide who needs or has privileged access,
  • Define when privileged accounts can be used,
  • Have an incident response plan,
  • Monitor privileged account activities, and
  • Select strong passwords and change them frequently. Privileged account passwords should be set to very large, complex values and stored securely. They should never be shared or used to access multiple systems.

Apply for a certification course in identity and access management.

Careful monitoring of credit reports can alert consumers to fraudulent activities or inaccuracies in records potentially indicating identity theft. The information included on a credit report, such as amounts owed, payment history and public records, affects the scores used by financial institutions and credit card issuers to assess the creditworthiness of applicants and decide whether to approve applications.

Credit reports also provide consumers with a total picture of their credit status at a particular point in time. Few consumers know exactly where they stand when it comes to total debt, thus seeing everything laid out in a report reveals not only where changes can be made to improve credit scores but also mistakes and incorrect information they must dispute and correct. Some of these inaccuracies may be red flags, warning of a breach of privacy or outright identity theft in need of investigation. In these cases, appropriate measures must be taken to correct all information and ensure the security of personal information.

Under the Fair Credit Reporting Act or FCRA, every consumer is entitled to one free copy of his or her credit report per year from the “big three” CRAs: Equifax, Experian and TransUnion. This law is enforced by the Federal Trade Commission and gives consumers the opportunity to keep a close eye on credit activities associated with their accounts.

It is reported that one in five consumers have at least one error on their credit reports. Because these errors can have negative effects on a person’s overall credit history and make it difficult to qualify for loans or obtain new credit cards, they should be addressed and fixed as soon as they’re discovered.

CRAs are required by law under the FCRA to correct inaccurate or incomplete credit report information and must investigate claims from consumers within 30 to 45 days of receipt. Although Equifax, Experian and TransUnion all offer online dispute options, it’s best to carry out communications by mail. Physical letters provide a paper trail consumers can file, track and refer back to as necessary.

The way a consumer handles his or her finances, including making purchases, payments and credit requests, will impact the total FICO score because of the influence such habits have on each of the five elements on which the score is based.

Any patterns indicating reckless spending could prevent consumers from qualifying for card promotions, special deals and higher credit limits. However, those with short credit histories may benefit from charging the majority of their purchases to their credit cards as long as balances are paid off on time. Rather than demonstrating poor spending habits, such a pattern helps to establish a stronger credit history, making other financial products more accessible.

Credit monitoring to detect unusual activity reported to any or all of the big three CRAs is an important part of the overall scope of identity theft protection. Consumers need to be alerted to fraudulent activity as soon as it appears so that appropriate measures can be taken before irrevocable damage is done to their credit histories. Helping consumers better understand the elements of their credit reports provides the knowledge they need to spot errors, empowers them to take corrective steps when necessary and gives potential identity thieves fewer opportunities to compromise credit records.

Identity Management Institute offers a video course to teach about how to obtain, review, and correct credit reports. This video is available for purchase and is offered to Certified Identity Protection Advisor (CIPA)  candidates who are valuable resources for helping consumers.

Visit our training page to learn more and access our video courses for preview and purchase.