The Value of Identity Part 3: Five Steps to Avoid a Breach

In Part 1 and Part 2 of my series on the value of identity, we looked at the consequences of revealing excessive personal information in public, more specifically the digital realm, can have on the individual and an organization. We saw that hackers can use the information you reveal on social media and the internet not only to impersonate and steal your identity, but to even infiltrate and take control of your company’s network. 

However, when proper measures are taken, these consequences can be avoided altogether. And, while yes, employees should avoid posting too much personal information on social media accounts, it’s also crucial that employers do their due diligence by properly educating employees and putting sufficient security measures in place.

So, here are five steps that companies can proactively take to not only minimize the risk of a network breach, but also to help employees avoid a personal identity takeover.

1. Encourage Employees to Take Computer Safety Courses – Internet courses are widely available that can help users understand the do's and don'ts of publishing personal information, sharing passwords, and other general internet safety recommendations. And from the individual’s perspective, these courses are valuable to anyone with computer access – inside or outside of the workplace – especially for children who need educated as to the dangers of the internet.
2. Develop a Security Training Program – Implementing a security training program, with information not only on protecting company assets, but also pertaining to internet safety at home (or while outside of work) is crucial in ensuring security processes and protocol are understood and correctly followed. Proactive training generally leads to a reduced need for reactive response and remediation. Such training should not only be delivered as part of the onboarding process, but also annually and on an ongoing basis to make employees aware of updates and newly implemented technologies and processes.
3. Avoid Challenge/Response Questions with Common Answers – Implementing challenge/response questions can add an additional layer of security, but if the questions are defined with very common types of data, such as a pet’s name or favorite sports team, obtaining that information from a user might not be very difficult. Companies should spend time developing new questions that involve private-type data that employees are less likely to be posting on the internet.
4. Implement a full-lifecycle Identity and Access Management (IAM) Solution – In the event of an account compromise, an IAM solution with features like time-based access controls, account certification, and password vaulting, limits the privileges of an authenticated user and prevents them (or an attacker using their account credentials) from inappropriately accessing sensitive data. The solution also provides an audit trail, so that access and rights may be closely monitored, logged, and reviewed as part of the company's overall security posture.
5.  Add an additional layer of protection with Multi-Factor Authentication – By requiring users to provide something they know (knowledge), something they have (possession), and something they are (inherence), multi-factor authentication adds an additional layer of protection against compromised user accounts that could end up saving the company’s data and, in a bigger sense, their reputation. Combining two or more of these authentication methods and using an overarching multi-factor authentication system, can help organizations deter even the most ambitious cybercriminals. 

In this series, we've looked at the value of an identity, whether from an individual's perspective or from a broader, corporate point-of-view. After all, what can start as a personal identity takeover, can quickly spread to a corporate network breach if proper security measures aren’t in place.

Now that we’ve examined how certain measures and safeguards can be implemented in order to prevent such serious events from unfolding, I encourage you to examine your own personal AND corporate security postures, and to take those positive steps to ensure consistent and manageable identity safety.