Do you remember 2013? It was labeled “The Year of the Mega Breach.” It won that name, and rightly so, because the largest data breaches occurred that year. Remember Edward Snowden? That was in 2013. It was also in 2013 that data breaches started to be mentioned, followed and analyzed by the media as well as the world at large; putting the attacks – and the companies who owned that data – into the limelight and attention of the general public.
In 2014, the breaches were more frequent and larger, but no nickname was offered. Looking back at 2015, more breaches occurred than the two years prior: at least 1,400 data loss events were recorded and upwards of 169 million records were stolen. We could have dubbed 2015 “The Year of the Super Mega Breach,” but instead, it is the year when we all became blasé. Meanwhile, we started to feel uneasy towards breaches that became more and more personal.
Yes, retail outlets and banks were continually targeted, because they house lucrative data for thieves selling credit card numbers on the Dark Net. But 2015 saw an influx of healthcare breaches – Anthem’s breach alone represented nearly half of all stolen records that year. Personally identifiable information (PII) is, in and of itself, even more valuable, reaching north of $100 per record versus the $5-6 range a credit card number can garner thanks to the insurance fraud they offer.
And then there was the government’s Office of Personnel Management breach, where the data stolen included background checks on former and current employees and contractors. Data about them, their family, their neighbors were taken… definitely a reason to feel uneasy. 2015’s data breaches also targeted places like Harvard University, Ashley Madison and Hello Kitty. In 2015, breaches definitively became personal.
The moral of that story? No company or agency is safe from attacks; corporations that we trust with our information, our family’s information and even our kids’ information was, is or will be targeted. We need to accept that the world has changed.
As the world evolves, so must IT security. It used to be that network security was all we needed since intruders had to either come into the physical location or hack from outside the network. Now, hackers have turned to the weakest link in the security infrastructure: us. People. Users. Identities.
Companies have multiple users entering their systems and accessing their data: employees, contractors, vendors & suppliers, partners, and even customers. Considering the sheer volume of users, applications and various levels of data access, it is easy to imagine an enterprise managing over a billion points of access. But these points of access can easily become points of exposure. A billion points of exposure. Behind all those points of access is a person – an identity.
Those people–securing their identities is everything. Identity. Is everything. Identities in an organization are who “hold the keys to the kingdom” and therefore will be targeted. In 2016 more than ever, securing those identities… those exposure points should be at the core of every enterprise’s security program.
It has become clear that the notion of network-centric security is a strategy of the past. A paradigm shift happened in 2015 where a user-centric approach of security emerged as the most robust strategy to secure an organization’s assets in our distributed IT world. By putting IAM at the core of security and IT infrastructures, we can continue to protect organizations from threats coming from both the outside and, more importantly, inside the network to which many of us are blind today. Only then can we can have a common understanding of who should have access, who does have access and how they are using their access
To help organizations understand how identity can be at the center of their IT and security strategy, SailPoint is rolling out a series of educational resources. You’ll find white papers, webinars, roadshows and more here.