Enzoic Navigation
  • PRODUCTS & SOLUTIONS
    • PRODUCTS
      • Enzoic for Active Directory
      • Active Directory Lite
      • Enzoic APIs
      • Breach Monitoring
    • SOLUTIONS
      • ATO Protection
      • NIST Password Compliance
    • INDUSTRIES
      • Hospitals & Healthcare
      • Government
      • Education
      • Financial Service
  • RESOURCES
    • CONTENT
      • Resource Hub
      • Blog
      • FAQ
      • Case Studies
      • Videos
    • DEVELOPERS
      • Support
      • Active Directory Tech Docs
  • COMPANY
    • OVERVIEW
      • About Us
      • Security
      • Threat Intel
      • Newsroom
      • Partners
      • Careers
      • Contact Us
  • PRICING
  • LOGIN
  • SIGN UP
  • PRODUCTS & SOLUTIONS
    • PRODUCTS
      • Enzoic for Active Directory
      • Active Directory Lite
      • Enzoic APIs
      • Breach Monitoring
    • SOLUTIONS
      • ATO Protection
      • NIST Password Compliance
    • INDUSTRIES
      • Hospitals & Healthcare
      • Government
      • Education
      • Financial Service
  • RESOURCES
    • CONTENT
      • Resource Hub
      • Blog
      • FAQ
      • Case Studies
      • Videos
    • DEVELOPERS
      • Support
      • Active Directory Tech Docs
  • COMPANY
    • OVERVIEW
      • About Us
      • Security
      • Threat Intel
      • Newsroom
      • Partners
      • Careers
      • Contact Us
  • PRICING
  • LOGIN
  • SIGN UP
ISDA

Back to Basics: IDSA Trends in 2022 are all about Preventable Cyber Incidents

IDSA report reveals that 96% of respondents think they could have prevented a breach by focusing on identity security 

The Identity Defined Security Alliance (IDSA), a nonprofit that helps organizations reduce risk by providing education and best practices, just released a report on current trends in the state of identity management. 

The research provides insight on how over 500 contemporary organizations with over 1,000 employees each are faring on their journeys to better identity and access management (IAM). 

They begin by ripping a proverbial band aid off, revealing that: 

  • 84% of respondents said they experienced an identity-related breach in the past year 
  • And 96% said they could have prevented or minimized the breach by implementing identity-focused security outcomes.

While these numbers aren’t surprising, they are regrettable. Fortunately, however, 94% said identity investments are part of strategic initiatives-indicating that there is a growing awareness of the need for improved postures. Here’s what’s happening, and how Enzoic can help. 

Bad Habits are Still Manifold 

While topics like password hygiene are considered basic security, it’s often basic security that we still need to improve. Human error is often at the root of these issues, too. According to the 2022 DBIR, this year 82% of breaches involved the human element, whether it is the “use of stolen credentials, phishing, misuse, or simply an error.” 

The IDSA report revealed similar findings. Out of the alarming 84% of respondents who experienced an identity related breach in the past year, many traced back to human error. Phishing attacks (where an employee may mistakenly fall for a well-disguised email scam), stolen credentials, password spraying, and many other identity-related attacks rely on users having weak and re-used passwords. A single set of compromised credentials can be the entry point for account takeover and malware deployment. 

Bad password habits aren’t unique to employees, either. Even IT experts admitted to sharing credentials on third party apps, and to using non work-authorized devices to access work material. 

In a similar vein, only 51% of respondents said they remove access for a former employee in a timely fashion — meaning that more people have access to more information for longer, and this means there are ongoing vulnerabilities. 

And things are getting worse…

With additional identities come additional vulnerabilities. The overall number of identities in use is increasing, due in part to

  • the expansion of cloud applications  
  • an increase in the number of remote employees
  • an increase in third-party relationships 
  • and an increase in the number of machine identities, like IoT devices and bots. 

Breaches are a cumulative threat that are exacerbated both by an increased number of identities, and poor habits that lead to preventable incidents. 

…Including the impact of a breach. 

Any kind of breach can be a damaging experience for an organization. Whether the result is the loss of personal data or millions of dollars, the impact is larger than companies realize: breaches are difficult to ‘bounce back’ from. 

Long-lasting damage in the form of a loss of trust from stakeholders, or other reputational impacts, can impact a company long after they recover from the ‘actual’ costs of ransomware or replacing equipment. This means additional loss of revenue. 

But Things Can Change! 

According to the IDSA, those surveyed almost universally agreed (96%) that implementing a security outcome could have prevented or minimized a breach. This acceptance is a first step towards positive change. 

There are efficient ways to improve your security posture- and with some tools you can do so practically overnight. 

Just a couple months ago, the IDSA announced their “Identity Management Project of the Year” and awarded Enzoic’s customer West-Mark for the results of an initiative that eliminated compromised credentials from their environment. This was achieved by complying with NIST password guidelines, while also following additional guidance to eliminate forced periodic password resets, which had the added benefit of reducing user friction. 

Scanning for compromised credentials is one of the most efficient ways to prevent credential-related breaches. 

The IDSA also recommends implementing MFA, timely reviews of privileged access accounts, and adoption of the Principle of Least Privilege. 

Another finding from their research was also about the impact that leaders can have on security. They found that when executives speak publicly to employees about password security, risky behaviors decrease. 

Whether this is due to general awareness, or actual habit reformation, is unknown, but the data indicates that directives around securing compromised credentials must be seen as a priority for change to occur. 

Overall, the report recognizes that most companies are not keeping up with the trends happening around them. IT professionals and executives need to invest both budget and time in finding solutions that protect their company, as soon as possible. 


Get started here.

Account Takeover RisksCompromised CredentialsCybersecurity TrendsIdentity and Access ManagementNIST 800-63b

Search

Assess your cyber vulnerabilities with a free password audit tool
Start Now

Browse blog categories

  • Account Takeover (30)
  • Active Directory (46)
  • all posts (164)
  • Continuous Password Protection (26)
  • COVID-19 (7)
  • Cracking Dictionaries (6)
  • Credential Screening (22)
  • Cybersecurity (80)
  • Data Breaches (37)
  • EdTech (4)
  • Enzoic News (19)
  • Financial Services Cybersecurity (6)
  • GovTech (4)
  • Healthcare Cybersecurity (15)
  • Law Firm Cybersecurity (2)
  • NIST 800-63 (30)
  • Password Security (44)
  • Password Tips (59)
  • Regulation and Compliance (13)

Stay up to date

Research, news, and more right to your inbox

More

  • Learning about strong, but unsafe passwords
  • What is a credential stuffing attack?
  • What is account takeover (ATO) fraud?
  • Eliminating password reuse to prevent ATO fraud
  • Developer Documentation (APIs)

Recent blog posts

  • Password Tips for Your Employees
  • Bolstering AD Password Policies
  • How Weak Passwords Lead to Ransomware Attacks
  • [ Sign Up for a Free Account ]
  • Contact Us
  • 1-720-773-4515

Enzoic ©2022 | Privacy Policy | Acceptable Use

3800 Arapahoe Avenue, Ste 250 l Boulder, CO 80303

Enzoic’s password auditor provides a great baseline for assessing password vulnerability. Get next level of compromised credentials protection and try the full Enzoic for Active Directory at no cost.

Cookies

This website uses cookies to improve your experience. Continue to use the site as normal if you agree to the use of cookies. To find out more about our use of cookies or to opt-out, please see our Privacy Policy.

More Information
This site is for EDUCATIONAL PURPOSES ONLY.
Your password will be sent securely to the Enzoic servers to check if it is compromised. We do not store your password or use it for any other purpose. If you are not comfortable with this, do not enter your real password.
What is this?

Password Check is a free tool that lets you determine not just the strength of a password (how complex it is), but also whether it is known to be compromised. Billions of user passwords have been exposed by hackers on the web and dark web over the years and as a result they are no longer safe to use. So even if your password is very long and complex, and thus very strong, it may still be a bad choice if it appears on this list of compromised passwords. This is what the Password Check tool was designed to tell you and why it is superior to traditional password strength estimators you may find elsewhere on the web.

Why is it needed?

If you are using one of these compromised passwords, it puts you at additional risk, especially if you are using the same password on every site you visit. Cybercriminals rely on the fact that most people reuse the same login credentials on multiple sites.

Why is this secure?

This page, and indeed our entire business, exists to help make passwords more secure, not less. While no Internet-connected system can be guaranteed to be impregnable, we keep the risks to an absolute minimum and firmly believe that the risk of unknowingly using compromised passwords is far greater. Since our database of compromised passwords is far larger than what could be downloaded to the browser, the compromised password check we perform must occur server-side. Thus, it is necessary for us to submit a hashed version of your password to our server. To protect this data from eavesdropping, it is submitted over an SSL connection. The data we pass to our server consists of three unsalted hashes of your password, using the MD5, SHA1, and SHA256 algorithms. While unsalted hashes, especially ones using MD5 and SHA1, are NOT a secure way to store passwords, in this case that isn’t their purpose – SSL is securing the transmitted content, not the hashes. Many of the passwords we find on the web are not plaintext; they are unsalted hashes of the passwords. Since we’re not in the business of cracking password hashes, we need these hashes submitted for more comprehensive lookups. We do not store any of the submitted data. It is not persisted in log files and is kept in memory only long enough to perform the lookup, after which the memory is zeroed out. Our server-side infrastructure is hardened against infiltration using industry standard tools and techniques and is routinely tested and reviewed for soundness.

More…
  • Visit our FAQ to learn more
  • Contact us for press or sales inquiries
  • Add a free password strength meter to your website