There are plenty of questions surrounding modern enterprise-level identity and access management. Is identity truly about to go through a Cambrian moment and subsume all other forms of cybersecurity? Are biometrics the future of authentication? Where will IDaaS fit into modern access management solutions in the coming years?
The answers to these questions remain the subjects of speculation and study. Most likely they’ll remain so for some time. However, what is not in dispute is the need for enterprises to boost their employees’ identity security awareness. Employees are frequently cited as enterprises’ largest and most vulnerable cyberattack vector, and for good reason. Without the proper training, these employees can create identity security flaws essentially laying out the welcome mat for hackers and insider threats alike.
So what can you do to foster better identity security awareness in your employees? It all starts with education—continual training is a key foundational step to any cybersecurity platform. Here are the top 3 identity security awareness tips you need to convey to your employees.
1) All Employee Passwords Need to Be Strong
Here is a tricky question: how many characters make a strong, healthy employee or privileged access password?
In part, the answer depends on subjective criteria, explaining the question’s trickiness. However, every identity security expert will agree: a truly secure password is more than the minimum 8 characters established by so many websites and databases. As part of your enterprises’ identity security awareness training, your employees need to internalize proper password creation processes.
To begin with, a truly strong password cannot be easily guessed or cracked by malicious threat actors. A distressing number of users continue to deploy “password1234” and other similarly weak passwords as their work credentials. Employing such credentials must be outright forbidden on your enterprise’s network if you are to have any confidence in your IAM platform. Even with the best solutions on hand, a weak password can render it ineffective.
Furthermore, your identity security awareness training needs to convey the importance of the distinct and individual password in the workplace. With employees having to juggle potentially hundreds of credentials and accounts, this can seem like a huge ask.
Yet a repeated password can represent a massive cyber attack vector into your enterprises’ most precious digital databases and assets. With the plethora of data breaches, many users’ repeated passwords may already be for sale on the Dark Web marketplace. Hackers can use these repeated passwords for credential stuffing attacks, among other tactics. With enough time, they will find the credentials that work…and how to exploit it for maximum gain.
Your enterprise should encourage strong password creation and individual password creation. It should have mechanisms in place (formed in partnership with your IAM solution) to stop bad passwords from being created and to reward good password health.
Identity security awareness needs to be rewarded. Otherwise, it is just a suggestion.
2) Never Share Passwords. Circumstance Doesn’t Matter
This one seems so straightforward you may not consider it for your employees’ identity security awareness training program.
However, you need to reconsider that position.
Employees and even privileged access users are notorious for sharing their passwords and other credentials with their colleagues. Often, they do this to avoid having to contact the helpdesk about a password issue or to resolve an issue outside of the regular workflow processes. Usually, employees’ are placing efficiency over security in their decisions, not realizing security is a vital business process owed just as much attention.
As part of your identity security awareness training, employees need to know security cannot be neglected…and sharing passwords is a blatant symptom of neglect. Make credentials sharing an action warranting a disciplinary response to hammer the message home: you’re serious about security and your employees should be as well.
Also, forbid employees from writing their passwords down and leaving them about the workplace. This will help cut down on insider threats.
3) Use Authorized Devices Only
We—employees and enterprises alike—tend to think of identity as only relating to the direct user accounts and credentials. But for your enterprise to move forward securely, digital identity security awareness needs to extend beyond these limitations of thoughts.
Plenty of identity and access management solutions have started to incorporate factors such as geolocation and device recognition as part of their authentication schemes. Your identity security awareness training should take the same step. Your employees need to understand their devices are just as important to their authentication as their credentials.
Further, only their authorized devices will have the necessary and approved security measures to keep their credentials safe in the first place. Keyword loggers or hidden malicious programs on other devices could steal passwords or other vital information.
Therefore, your identity security awareness training needs to emphasize the importance of getting devices approved by your security team, even in bring-your-own-devices culture. Additionally, employes should only work on devices approved for them so their passwords are logged into the same devices and are therefore localized.
Of course, these points only provide the surface of what your identity security awareness training should cover. But this will provide good scaffolding and values for future discussions. Without starting the conversation, you may end up recognizing the gaps in your digital security after it is far too late.
What is Access Creep? And How Can You Prevent It?
The 17 Best Identity Governance and Administration Platforms of 2018
The 10 Coolest IAM and Identity Security CEO Leaders
IAM vs CIAM: What’s the Difference?
The Role of Identity in Digital Transformation
The Current State of Biometric Authentication in IAM
Comparing the Top Identity and Access Management Solutions
The 32 Best Identity and Access Management Platforms for 2018
Key Findings: KuppingerCole’s Access Governance & Intelligence Leadership Compass
2018 Gartner Critical Capabilities for Identity Governance and Administration: Key Takeaways
Reflection on the 2018 Gartner Magic Quadrant for Identity Governance
- The Best Identity Governance Tools and Vendors in 2023 - December 31, 2022
- The Best Privileged Access Management Providers for 2023 - November 1, 2022
- The 10 Best Free and Open-Source Identity Management Tools - October 15, 2022