Another IAM Warning You’ll (Probably) Ignore

If past is prologue, then most people who read this blog post are going to nod along, agree with my points and then do nothing. 

I’m being a little cheeky here, but I’m also (unfortunately) telling the truth. Often, business and IT leaders don’t see the true value of cybersecurity solutions until their organization has been hit with ransomware or another successful attack. And increasingly, cybersecurity starts and ends with identity and access management, or IAM.

We still put up barriers against the bad guys at the application and infrastructure levels, of course. Really, many IT departments tackle cybersecurity in much the same way they have for the past 25 years, and IAM is often lumped together with other security measures. But once identity is compromised, that’s pretty much the ballgame. When hackers can exploit user credentials, they can almost always find a way to blast through protective measures throughout the IT environment. It’s time for us to start thinking of identity and data security in the same way we think about enterprise resource planning systems: as something that touches every person, every application and every business process throughout an organization. 

We’ve all seen the headlines about massive breaches at large, well-known companies in recent years. Some of these were due to cybersecurity officials failing to enact or enforce policies that required employees to rotate their passwords. This gets down to the very basics of identity and access management. In a disjointed reaction to another major breach, a company purchased three multifactor authentication solutions after a compromise of its user credentials made headlines. The company could have avoided a bad situation if leaders had simply rolled out a single MFA tool before the breach and deployed it across the enterprise.

Nobody likes to spend time dwelling on worst-case scenarios, and everyone hates shelling out for insurance — something they hope they’ll never need to use. And truthfully, it can be expensive to implement good IAM tools and practices. Complicating matters for smaller organizations: The process of securing a modest environment is often nearly as involved as it is for a larger one. A regional bank serving 10,000 customers, for instance, has almost all the same IAM challenges to overcome as a much larger national institution. The identity problems are virtually identical; it’s only the volume that changes. 

Still, leaders must balance this cost against the risks facing their organizations. Some large retailers that were hit by breaches saw a decrease of 40 percent in credit card transactions in the wake of their troubles. Now, a giant company can weather that storm, but it might be enough to put a smaller company out of business. 

CDW works with organizations to establish solid IAM practices and implement effective tools, through workshops, assessments and business case designs all the way through to solution design, deployment and management. Many people in these workshops are themselves coming to us in the aftermath of a cyberattack. But believe me: The happiest participants are the ones who didn’t ignore warnings about the importance of IAM until it was too late.

Story by Ian Cumming, the presales director for identity and access management at Focal Point Data Risk, a CDW company.