Authentication failures–defined as a weakness in an organization’s authentication processes resulting in an inability to verify user identity — not only pose great risk resulting in the theft of credentials but are costly. According to the research, organizations are spending an average of approximately $3 million on activities relating to authentication failures annually.
Participants in this research also estimate that the maximum loss as a result of one authentication failure can range from $39 million to $42 million and the average maximum loss as a result of a material business disruption caused by an authentication failure can range from an average of $34 million to $40 million. Reasons that authentication failures can be costly, as confirmed in this research, is the downtime to resolve authentication failure, disruption of business processes, loss of customers and the negative impact on third party and business relationships.
Sponsored by Nok Nok, Ponemon Institute surveyed 1,007 IT staff (360), IT security leaders (339) and non-IT security leader or lines of business leaders (LoBs) (308). All respondents are familiar with authentication processes in their organizations and have some level of responsibility for the security of their organization’s authentication processes.
A key takeaway from this research is the gap between IT security and LoBs in the seriousness of authentication risks facing their organizations. In this report, we present these differences and discuss how they may be affecting the security posture of organizations represented in this research.
In the context of this research, credential theft involves stealing the user’s exact password rather than randomly guessing it. The focus of this crime can be to make fraudulent purchases, make fraudulent financial transactions and steal confidential information.
The authentication failures perception gap in organizations
Based on the findings, the following are the most significant gaps in understanding the state of authentication processes in organizations among the IT security staff, IT security leaders and lines of business leaders. These differences can be a barrier to achieving a secure and holistic response and strategy to addressing the risks and cost of authentication failures. According to the research, most organizations do not have an enterprise-wide strategy for reducing the risk of authentication failures.
- Lines of business leaders are not likely to recognize the difficulty in knowing the “real” employees, customers and/or users from criminal imposters who are using stolen credentials. Sixty-six percent of IT security staff respondents say it is very difficult or difficult. Less than half (48 percent) of lines of business respondents say it is very difficult or difficult.
- Authentication processes are out of control, according to IT security respondents. Only 32 percent of IT security respondents and 44 percent of IT security leaders say their organizations have a high level of control over their authentication processes. However, 67 percent of lines of business respondents are confident in their organizations’ controls.
- IT security staff respondents detect more authentication failures. IT security staff estimates a per-user average of 28 authentication failures occur in a month vs. lines of business leaders who estimate an average of 19 authentication failures occur per user monthly.
- IT security staff says on average there are significantly more undetected authentication failures than the IT security and lines of business say there are. IT security staff respondents say on average 45 percent of authentication failures go undetected—almost twice as much as reported by lines of business leaders.
- IT security staff report a higher percentage of the volume and frequency of authentication failures. Seventy-one percent of IT security respondents vs. 55 percent of lines of business leader respondents say authentication failures have significantly increased or increased. Fifty-nine percent of respondents say the severity of failures have increased vs. 51 percent of business leader respondents.
- IT security staff respondents are not as confident that the risk of authentication failures can be reduced. Today, 66 percent of lines of business respondents say their organizations are very prepared or highly prepared to reduce the risk of authentication failures and this will increase to 82 percent of these respondents who are very prepared or highly prepared. Only 40 percent of IT security staff respondents say their organizations are very prepared or highly prepared and in two years 53 percent say their organization will be very or highly prepared.
- Only 28 percent of IT security staff respondents believe an annual budget of $2.5 million allocated to staff and technologies to prevent detect, contain and resolve authentication failures is sufficient. Whereas, 45 percent of lines of business leaders say the budget is sufficient. Only 45 percent of IT security staff say their organizations’ leaders recognize the need to invest in automation, AI and orchestration as part of its efforts to prevent authentication failures.
The risk of credential theft is high and only 30 percent of respondents say their companies have good visibility into credential theft attacks — 66 percent of IT security staff respondents say it is very difficult (32 percent) or difficult (34 percent). In contrast, less than half (48 percent) of LoB respondents say it is very difficult or difficult.
To read the rest of the report, register to download it at Nok Nok’s website: