The identity attack surface is the most significant gap in cybersecurity resilience today with existing solutions like multi-factor authentication (MFA) and privileged access management (PAM) leaving critical exposures and allowing for the malicious use of compromised credentials.

This is according to Silverfort’s identity protection annual research report – The State of Identity Security: Insights Into Critical Protection Gaps – conducted by Osterman Research.

The research finds that more than four out of five organisations have experienced a breach that involved the use of compromised credentials, half of which happened in the past 12 months. Furthering the challenges for CISOs is a continual misalignment between security and identity teams. Visibility into the identity attack surface continues to be insufficient, leaving organisations exposed to bad actors who can gain access to their environments, move laterally inside their networks, and wreak havoc in minutes.

The protection of the identity attack surface – which extends far beyond traditional identity access management tools – is the last line of defence in detecting and preventing such threats in realtime.

 Key takeaways of the report include:

  • Identity is the new top attack surface: More than 80% of organisations have experienced an identity-related breach that involved the use of compromised credentials, half of which happened in the past 12 months.
  • Sporadic and poorly deployed MFA and PAM solutions fail to deliver 360º protection: 65% of organisations have not implemented MFA comprehensively enough to provide sound protection. In addition, only 10% of organisations have fully deployed PAM and have high confidence in its ability to prevent malicious use of privileged credentials due to the notorious complexity of implementing such solutions at scale.
  • Limited visibility is creating “blind spots” and exposed access points for bad actors: 94% of organisations do not have full visibility into their service accounts (non-human identities), making these highly vulnerable and often privileged identities a prime target for attackers.
  • Realtime protection is missing: 78% of organisations admit that they cannot prevent the misuse of service accounts in realtime due to low visibility and inability to enforce MFA or PAM protection.
  • Organisations are more exposed than ever: Only one in five organisations are highly confident that they could prevent identity threats. Very few organisations are confident they can stop malicious access or lateral movement using compromised credentials.

“Today’s organisations are challenged with securing many different ‘silos’ of digital identity across complex hybrid and multi-cloud environments. Each of these environments has different identity security controls which don’t work together and result in partial security, inconsistent user experience, and redundant costs,” says Hed Kovetz, CEO and co-founder of Silverfort. “In addition, some of the most critical systems in every company don’t have identity security available at all – and bad actors know it.

“This new research emphasises that organisations need to rethink how they implement identity security and develop a strategy that covers the entire identity attack surface – including human and non-human identities, privileged and non-privileged users, on-prem and cloud environments, IT and OT infrastructure, and many other areas that they didn’t previously manage to protect,” Kovetz says.