Identity Automation Blog

Stay up to date with all of the latest news and events.

Now that your C-suite understands your company’s information security program, it’s time to move further into the educational phase.

As you evaluate and prioritize the risks your organization faces, identity and access management (IAM) should become a clearer and clearer priority. To help you educate your CEO on the need for increased investment in modern IAM solutions, here is some key IAM terminology that you can use as you work to transition your company to a more modern strategy.  

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained, you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”—Sun Tzu

When it comes to protecting your company’s sensitive systems and data, do you truly know your enemy? Showy hacktivists, out for nothing more than a flashy outage and media attention, are the foes who most easily spring to mind, but they’re only the tip of the iceberg. The greatest threats to corporate network and data security are 1) those who seek to intrude undetected into your systems and 2) your accidentally careless and complacent employees who let them. These intruders are patient, they’re meticulous, and they’re eyeing what you have and are planning to get it, 24/7.

Now that you’ve used the points outlined in the last installment of our series to discuss with your CEO how important security is to both your organization’s bottom line and your CEO’s job, it’s time to begin the process of education. There are several realities about security that your CEO must understand as you work toward a modernized security strategy that will optimally protect your organization from outside threats and inside vulnerabilities.

Intruders Thrive on Complacency

In a recent analysis of the top 1,000 global companies, 97 percent were found to have had leaked credentials that were made publicly available on the Web. While this statistic is disturbing enough by itself, what is more troublesome is how that information is captured and made public.

Many leaked credentials come as the result of an organization suffering from a data breach, but another method that attackers are using is to steal credentials from a third-party source, similar to what happened when Spotify and Pandora were attacked. In both of these incidents, corporate emails used to sign up for accounts were either published or sold. Dating and adult websites are also common places where corporate emails are inappropriately used to create accounts, resulting in more than 300,000 corporate or government worker email addresses being exposed.


In past posts, we’ve talked about how evolving
business and threat landscapes have necessitated more robust, modern, and integrated Identity and Access Management (IAM) solutions. The reality for organizations today is that the weakest link in deterring security threats, such as system breaches and data theft, are employees themselves. Whether intentionally or unintentionally, employee data leaks are startlingly common and can have devastating effects on an organization.

To further complicate matters, intruders these days are well aware of this weak link and would much rather slip through an already open door by compromising user accounts than fight through perimeter controls. Having a perimeter security mentality, one that focuses on preventing attacks from the outside alone, simply isn’t enough and puts both company and career in serious jeopardy.

However, while it’s easy to talk about these threats, it’s much harder to make a case for needing a more modern solution to combat them without the facts to back up these claims. So, we’ve compiled a list of recent statistics that lend perspective to the situation:

From the massive Target data breach in 2013 to the Wendy's, UC Berkeley, IRS, and U.S. Department of Justice breaches of 2015 and 2016, today's enterprise exists in a security minefield in which a single misstep could lead to a massive breach and public blowout. As IT departments shutter and make sure to shore up their perimeter security, unfortunately, many overlook the fact that it was actually legitimate user credentials that were used in most 2016 data breaches, with some 63% being the result of weak, default, or stolen passwords, according to the new Verizon Data Breach Investigations Report (DBIR). These results drive home the point that passwords are the weakest link in the security chain and malicious intruders know it.


The goal of achieving compliance is to make sure that an organization is meeting minimum standards to protect sensitive data. In order to be compliant, a business needs only to meet the outlined requirements.

However, this does not mean that its systems and data are secure. Unfortunately, there are companies that treat compliance merely as a checkbox. Even when the minimum standards are met, data and accounts with elevated access are still vulnerable. Instead, achieving compliance should be viewed as the by-product of sound security practices. This starts with protecting the attacker’s most sought-after prize: privileged accounts with elevated access across the network.

In the first installment in this blog series, we looked at the many trends in the business landscape today (digital transformation, a changing workforce, and the shift to cloud IT infrastructures, among others) that are driving the need for a more comprehensive and integrated IAM solution. In our second blog in this series, we will take a look at why evolving regulatory and threat landscapes, combined with shrinking IT budgets, have necessitated more robust, modern IAM solutions.


In Part 1 and Part 2 of my series on the value of identity, we looked at the consequences of revealing excessive personal information in public, more specifically the digital realm, can have on the individual and an organization. We saw that hackers can use the information you reveal on social media and the internet not only to impersonate and steal your identity, but to even infiltrate and take control of your company’s network.