SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Exclusive: Three access management learnings from 2018
Tue, 18th Dec 2018
FYI, this story is more than a year old

The state of cybersecurity and privileged access management in 2018 shows Australian organisations may still have some way to go before they can consider themselves protected.

There was a renewed global response to data security in 2018, placing pressure on organisations to assume more responsibility for the data they hold.

In Australia, the Notifiable Data Breach (NDB) scheme, came into effect this year, placing new requirements on organisations to disclose data breaches and a greater emphasis on proper security practices.

Despite this scheme, the Office of the Australian Information Commissioner received 550 breach notifications between February 22 and September 30, 2018.

While details about the specific cause of the breaches are sometimes unclear, history exists so we can learn from the mistakes and triumphs of others.

2018 saw breaches at companies like Austal, where staff email addresses and mobile numbers were accessed, or in the National Disability Insurance Scheme that failed to properly confirm the identity of users.

With the benefit of hindsight, here are three identity governance trends that businesses should be aware of for the upcoming year.

An organisation is only as strong as its weakest employee

Employee education remains as critical as ever in a world where business email compromise (BEC) is still a common form of attack by threat actors.

Enterprises must create internal training programs that educate employees on the risks of BEC and help employees identity warning signs of what they may encounter when they are being targeted in a phishing scam.

Effective employee education will make the entire organisation stronger and help to prevent the risk of accidental compromise.

Developing best practice guides for email correspondence and general guidelines for communicating confidential information when handling privileged information, such as not sharing privileged account passwords or other personal account information through email.

If a threat actor gains access to one account and finds additional email addresses and passwords for confidential accounts, it can harm a business's reputation and have a negative financial impact.

Adopt multi-factor authentication and complex password requirements

Organisations do, however, need more than just educated employees to keep their data and accounts safe.

Multi-factor authentication and complex password requirements offer further layers of security for enterprises.

Multi-factor authentication requires at least two forms of identification to prove identity, such as a password, physical identifier like a card, or a second pin code sent to another device like a mobile phone.

Multi-factor authentication is a solution all organisations should have implemented in 2018 to improve identity management and overall organisational security.

Further, requiring employees to maintain strong password practices that include the standard upper and lower-case letter, number and symbol is essential.

Implementing processes that require they be updated regularly will also go a long way to protecting individuals and organisations from being breached.

With the new NDB scheme in 2018, more emphasis has been placed on the protections that organisations have in place to prevent data being compromised.

By utilising tools like multi-factor authentication, and complex password requirements organisations can be better prepared to govern identity access and account security.

The multi-factor authentication market is expected to reach US$13.59 billion (AU$18.79 billion) by 2022, demonstrating the growing demand for multi-factor authentication within organisations.

Employees are sometimes resistant to adopting these practices because it adds another step to the sign-in process, so it's crucial that organisations use technology solutions that effectively balance security with employee productivity.

Embrace automation

Artificial intelligence (AI) and automation can assist with simplifying processes for IT teams and employees.

However, research from One Identity's annual global survey shows one-quarter of Australian organisations still rely on antiquated processes like spreadsheets to manually manage privileged accounts.

Organisations should embrace AI as a solution that will automate identity and privileged access management, benefiting all areas of IT within an organisation.

Automated password reset systems will make password management simpler and more efficient for employees, ultimately reducing the need for IT teams to keep databases manually updated.

Automation will further help with setting up and deprovisioning accounts, ensuring access is granted to, or taken away from employees almost instantly.

This allows IT teams to have a better understanding of the privileged account environment of the organisation.

Learning from the past is important for organisations so they can prepare a privileged access roadmap for the year ahead.

The NDB scheme has placed greater public scrutiny on data security than ever before, and organisations must have the tools to prepare themselves for effective protection.

By educating employees about best practice for email use and passwords and adopting multifactor authentication, enterprises will be better positioned to defend against cyber threats seeking unauthorised access.

Embracing AI will make these processes much easier and improve employee productivity, moving enterprises into the 21st century.