Survey reveals organizations know they can – and should – do more to bridge the gap
Irvine, Calif. – Aug 1, 2018 – SecureAuth Corp + Core Security, the leader in identity security automation, today announced results of the Cybersecurity and Identity Gap Survey, a wide-ranging survey that indicates a majority of businesses continue to struggle with strengthening their overall cybersecurity posture because they’re not aligning cybersecurity measures with identity practices. Nearly six out of every ten (59 percent) report that cybersecurity and identity decisions are separate in their organization, which leaves organizations more vulnerable to attack and results in slower remediation when breached.
The survey conducted by strategic research firm Decision Analyst and commissioned by SecureAuth + Core Security found that nearly a quarter (24 percent) of large companies with more than 5,000 employees admit to being completely siloed when it comes to seeing threats, malware, network issues and other cybersecurity practices. The data reveals that the larger an organization is, the wider the gap between identity and cybersecurity practices within that organization.
Adding to the width of the gap – and threat surface – technology managers are unsure of who has access to what assets within the organization. One in five (19 percent) indicate that “rubber stamping” access certifications occurs – approving a user’s access to systems without thoughtful review – leaving respondents with little visibility as to who has access to what information and tools within the organization. This issue is so prevalent that 94 percent say they would consider purchasing another certification solution if it made it easier for business owners to see and understand anomalies and policy exceptions or if it made it far more efficient for business owners.
Multi-factor authentication adoption
To prevent the misuse of credentials, organizations are increasingly implementing multi-factor authentication, yet end-user adoption is problematic due to employee resistance. The primary culprit is employee resistance to two-factor authentication (2FA) and multi-factor authentication (MFA) protocols. The survey found:
- Nearly two-thirds of respondents (65 percent) reported negative experiences with 2FA and MFA implementation
- A full 63 percent said they experience friction from employees who don’t want to download and use a mobile app to initiate the authentication process
- Six out of ten (59 percent) said 2FA/MFA implementations are being completed in “waves” because of employees’ hesitancy to change their behaviors
Password-only still prevalent
The survey also revealed that the computing systems, applications and networks of many organizations are still with little more than a password. In fact, only half of the respondents reported that their organization used multi-factor authentication:
- For logging on to Windows endpoints (55 percent)
- In front of SaaS applications (51 percent)
- For VPN access (50 percent)
- In front of privileged account management products (43 percent)
Only 28 percent reported using MFA for logging into Macintosh endpoints. Most surprisingly, 25 percent reported that they didn’t require anything more than a password for homegrown or on-premises applications.
IT leaders want more integrated solutions
Viewed collectively, these results indicate that significant numbers of enterprises can do much more to guard against cyberattacks and identity theft. They also indicate that most organizations understand they can do more – and want to. Tech leaders responding to the survey said they’d like to see their authentication solutions integrate not only with identity-governance products, but also with other cybersecurity solutions, including next-generation firewalls, vulnerability scanners, privileged access management solutions and web proxies. In fact, 62 percent of companies would prefer to purchase the best solutions to meet such requirements regardless of how many providers it would take.
“Despite increased spending on cybersecurity capabilities, breaches still continue to rise, showing the status quo is no longer good enough” said Jeff Kukowski, CEO SecureAuth + Core Security. “The industry must begin to approach cybersecurity and identity management together to better detect and mitigate risks, rather than treat them as disparate silos that don’t communicate with each other and actually increase the threat surface.”
Struggles with MFA and Microsoft
As one of the most widely-used vendors within enterprises, Microsoft’s applications present a particularly vast attack surface that must be protected. To that end, four out of five (79 percent) respondents reported that they have enterprise licensing agreements with Microsoft. Of those, one in five (19 percent) of those say Microsoft does not solve their problems on 2FA/MFA or adaptive projects well enough to utilize it. Further, nearly one-third of all enterprises (32%) use a pre-2013 version of Microsoft Outlook, leaving those companies particularly vulnerable to an attack surface that Microsoft cannot solve.
“Although Microsoft applications are so widely adopted in the enterprise, a significant number of IT leaders struggle to implement even basic two-factor authentication projects with those applications,” Kukowski said. “Because so many companies use older versions of Microsoft technology, it’s clear that more must be done to prevent organizations using the company’s software as an entry-point for attackers.”
SecureAuth + Core Security commissioned Decision Analysts to conduct an online survey between February 12 and February 19, 2018, among 202 IT decision-makers responsible for IAM at companies in the U.S. with 500 employees or more.
About SecureAuth + Core Security
SecureAuth + Core Security brings together network, endpoint, vulnerability, and identity security, to prevent the misuse of credentials by delivering true Identity Security Automation. The company is a leader in vulnerability discovery, identity governance, and threat management, and is a respected pioneer in adaptive authentication and Single Sign-On (SSO). Our mission is to accomplish what no other security technology vendor can claim: Secure the enterprise across all major threat vectors with an identity-based approach to the attack lifecycle. To learn more, visit www.secureauth.com or www.coresecurity.com, contact SecureAuth at firstname.lastname@example.org, or follow us on Twitter (@SecureAuth), and LinkedIn.
SecureAuth and Core Security are registered trademarks in the United States and/or other countries.
SecureAuth + Core Security