Organizations’ sensitive and confidential data continue to be vulnerable to risks created by third parties and internal privileged users. A key takeaway from this new research is that too much privileged access and the difficulty in managing permissions are barriers to reducing these risks.

The purpose of this research, sponsored by Imprivata, is to learn important information about how well organizations are managing third-party remote access risks as well as risks posed by internal users with privileged access.

Ponemon Institute surveyed 1,942 IT and IT security practitioners in the US (733), UK (398), Germany (573) and Australia (238) who are familiar with their organizations’ approach to managing privileged access abuse, including processes and technologies used to secure third party and privileged end user access to their networks and corporate resources. Industries represented in this research are healthcare, public sector, industrial and manufacturing and financial services.

According to the findings, organizations spend an average of $88,000 annually to detect, respond and recover from third-party data breaches and privileged access abuse. To prevent these abuses, the IT security team spends an average of 134 hours weekly analyzing and investigating the security of third party and internal privileged access practices and allocate an average of $43 million or 25 percent of their annual $171 million IT security budget to reduce third party and privileged internal access risks.

“Third-party access is necessary to conduct global business, but it is also one of the biggest security threats and organizations can no longer remain complacent,” said Joel Burleson-Davis, Senior Vice President of Worldwide Engineering, Cyber, at Imprivata. “While some progress has been made, organizations are still struggling to effectively implement the proper tools, resources, and elements of a strong third-party risk management strategy. Cybercriminals continue capitalizing on this weakness, using the lack of visibility and uncertainty across the third-party vendor ecosystem to their advantage.”

Both third-party/vendor and privileged internal user data breaches and cyberattacks are a security risk for organizations. According to the research, organizations need to prioritize equally reducing privileged access risks caused by third parties/vendors and internal users.  Some 47 percent of respondents say their organizations experienced a data breach or cyberattack that involved one of their third parties/vendors accessing their networks. Forty-four percent of respondents say these incidents involved internal users with privileged access.

Following is a summary of the research findings. 

To avoid security incidents, organizations need to assign the appropriate amount of access and no more. According to the research, granting too much privileged access to insiders causes more data breaches and cyberattacks than when given to third parties. Thirty-four percent of respondents say these incidents were the result of a third party/vendor having too much privileged access. However, 45 percent of respondents say it was caused by providing internal users with too much privileged access.

Third party security incidents are more likely to result in regulatory fines (50 percent vs. 30 percent of internal users) and lawsuits (41 percent vs. 24 percent of internal users). The primary consequences of a privileged user access data breach and cyberattack were the loss of business partners (51 percent of respondents), loss of reputation (44 percent of respondents) and employee turnover (43 percent of respondents).

Assigning the right amount of privileged access is critical to not only preventing security incidents but to ensuring third parties and employees have enough access to be productive.  An average of 20 third parties/vendors and an average of 20 employees have privileged access rights. The challenge for those managing permissions is to be able to determine the correct level of privileged access required without providing too much access. However, less than half (49 percent of respondents) say their organizations provide third parties/vendors with enough access and nothing more to perform their responsibilities. Forty-seven percent of respondents say their organizations provide employees with the appropriate amount of access to do their work.  

Organizations without an inventory of third parties/vendors say it is primarily due to a lack of resources. Complexity of multiple internal tech platforms is a barrier to having an inventory of privileged internal users. Fifty percent of respondents say their organizations do not have a comprehensive inventory of all third parties with access to their networks due to the lack of resources to track third parties (45 percent of respondents), no centralized control over third-party relationships (37 percent of respondents) and complexity in third-party relationships (27 percent of respondents). Only 47 percent of respondents have a comprehensive inventory of all privileged internal users due to complexity of multiple internal tech platforms (53 percent of respondents), no centralized control over internal user privileges (44 percent of respondents) and lack of resources to track internal user privileges (41 percent of respondents).

Reducing third party and privileged internal access risks can be overwhelming because of the many factors that complicate the process of managing permissions. Forty-four percent of respondents say managing third party/vendor permissions can be overwhelming and a drain on internal resources. Almost half (48 percent of respondents) say managing internal privileged access is difficult. Reasons for the difficulty in managing permissions is because of the complexity of insider user roles and third- party relationships and the number of access change requests due to personnel changes, mergers and acquisitions and organization restructuring.

The lack of a consistent, enterprise-wide privileged user access management approach can lead to gaps in governance and oversight. Only 42 percent of respondents say their organizations have a strategy that ensures technologies, policies and practices are used consistently across the organization to reduce privileged access risks. Twenty-six percent of respondents say the strategy is not applied consistently and 19 percent of respondents say it is ad hoc or informal (Q5).

Artificial intelligence (AI) and machine learning (ML) can increase efficiency and decrease human error taking steps to reduce privileged access abuse. Forty percent of respondents say AI and ML is part of their strategy to reduce privileged access abuse.

The primary benefits are improved efficiency of efforts to manage third party and internal privilege access abuse (59 percent of respondents), reduced human error related to managing third-party and internal privileged access (51 percent of respondents) and increased support for the IT security team dedicated to managing third party and internal privileged access abuse (50 percent of respondents).

Preventing privileged access abuse can be overwhelming, requiring technologies and processes that enable organizations to effectively monitor and audit who has access to sensitive and confidential data. However, only 46 percent of respondents monitor and review provisioning systems and only 41 percent of respondents say their organizations conduct regular privileged user training programs. Instead, 57 percent of respondents say their organizations depend upon thorough background checks before issuing privileged credentials and 55 percent of respondents say their organizations conduct manual oversight by supervisors and managers.

The primary barrier to granting and enforcing privileged user access rights is the inability to apply access policy controls at the point of change request (67 percent of respondents). Other barriers are the length of time it takes to grant access to privileged users (not meeting the organization’s SLA with the business), too expensive to monitor and control all privileged users and granting access to privileged users is staggered, all 61 percent of respondents.

Monitoring third-party and vendor access can reduce third party and vendor access risk. However, only 41 percent of respondents are monitoring third-party and vendor access to the network. Reasons for not monitoring third party and vendor access to sensitive and confidential information are confidence in the third party’s ability to secure information (59 percent of respondents), the business reputation of the third party (45 percent of respondents) and the lack of internal resources to check or verify (44 percent of respondents).

Recommendations to mitigate third-party and privileged internal access risks

• Implement the principle of least privilege. Grant users only the minimum access required to perform their duties. Regularly review and audit access and conduct periodic reviews to identify and revoke unnecessary permissions.

• Maintain an inventory of third parties and internal users with privileged access. Without such inventories many organizations don’t have a unified view of privileged user access across the enterprise.

• Leverage access management tools such as Vendor Privileged Access Management (VPAM) and Privileged Access Management (PAM) to secure and manage an organization’s privileged access to information resources and ensure each user has minimal, controlled access, reducing the chance of a third-party vendor breach and providing organizations with control and visibility. According to the research, 55 percent of respondents with a VPAM say it is highly effective and 52 percent of respondents with a PAM say it is highly effective.

• Educate users on security best practices. Train employees about the importance of data protection and responsible access management. Only 41 percent of respondents say their organizations conduct regular privileged user training program.

• Ensure there are sufficient resources, in-house expertise and in-house technologies to improve the efficiency and security of the access governance process. Specifically, to keep pace with the number of access change requests and to reduce burdensome processes for third parties and business users requesting access.

• Automate the processes involved in granting privileged user access and reviewing and certifying privileged user access to meet growing requests for access changes.

To read the full findings of this report, visit Imprivata’s website. 

Bob Sullivan

I have long said that poor customer service is a massive cybersecurity and financial vulnerability. I realize that line doesn’t always click with people right away, so I’m devoted to sharing examples with you (like this dramatic story).

Hewlett-Packard just offered up a slam dunk.

The company recently deployed a mandatory 15-minute wait for customers calling its support line. It’s hard to believe, but here’s The Register’s story about this. That story cites a staff memo which says, “The wait time for each customer is set to 15 minutes – notice the expected wait time is mentioned only in the beginning of the call.” HP’s goal was to force folks to solve problems on their own, supposedly with the help of HP’s website. But…we’ll get to that boobytrap in a moment.

On the one hand, this just sounds like everyone’s 21st Century nightmare. On the other hand, you’ve got to give HP credit for saying the quiet part out loud. I’m sure many of you suspect other companies put similar speed bumps into their phone call wait times. (I’ll share one example. Way back in 2000, the FTC fined the nation’s credit bureaus for putting a million callers on hold — after the feds required the bureaus to have a toll-free number for folks trying to fix mistakes in their credit reports.)

Here’s the problem with HP’s “don’t call us, we won’t call you,” plan: When shoving consumers online, HP can be shoving them right into the arms of criminals.

As HP printer owners know, there are constant issues with keeping printers functional. Often, due to software updates or other Acts of God, printer drivers go missing. Searching the Web for HP printer drivers can be like walking into the cantina in the original Star Wars.

Here’s a warning that a friend recently sent to me while looking for an HP driver of a slightly-older printer. Users looking for drivers often can’t find them on HP’s site, so they then end up on seedy websites — which sometimes do have legitimate versions of old drivers, and sometimes offer up software that infects users with malware.  After a helpful user points someone to a place that might have the right driver, this warning is attached:

So your printer doesn’t work, you call HP, the company does all it can to redirect you to the Web, and then…well, you probably decide you have no choice but to buy a new printer.

HP reversed course on the 15-minute wait time after the negative publicity, according to Tom’s Hardware. But this is still quite a learning moment.

Of course, it’s annoying to have people call every time their printer stops working.  But this approach of sending users out into the wilderness to find their own answers puts those users at risk — and as we know, we’re all connected, so we are all put at risk.

This scenario is not unlike a problem that plagues the travel industry.  Criminals make fake look-alike websites to hijack desperate travelers looking for a solution when their flight is canceled. It’s sometimes called “malvertising.” Then, fliers call a fake number, and give their money or personal information to a criminal on the other end of the line. If it weren’t so hard to get customer service, fliers wouldn’t be driven to rogue websites in the first place.

Poor customer service is our greatest cybersecurity vulnerability.  Hacking a company is hard. If you are a criminal, it’s much easier to get frustrated consumers to do the hard part for you. Companies should invest in customer service as part of their overall security budgets.

Bob Sullivan

Google has added a novel scam-fighting technique to the beta version of its newest Android operating system, and the company deserves kudos for that.  Essentially, a software tweak will prevent users from installing (“sideloading”) rogue apps  during a phone call — adding friction to a tactic criminals often try.   It’s unclear how effective this small change might be,  but it’s great Google engineers are thinking this way.

Android Authority has all the details.

As many of you know, one of my jobs is to host The Perfect Scam podcast for AARP.  Every week I interview the victim of a horrible crime, and tell their entire story from soup-to-nuts. I’ve done more than 100 of these episodes now, and I’m incredibly proud of the work we’ve done, and very grateful to AARP for its ongoing investment to help protect people from fraud. These podcasts also create a valuable library of criminal tactics and techniques, along with a realistic view of victims’ plight.

Many emotional, societal, and financial factors contribute to making people vulnerable to romance scams, crypto scams, impersonation scams, etc. It’s easy to imagine you and your loved ones would never be the victim of such a crime, but you’re dangerously wrong. Any of us can be victimized under the right circumstances. A massive, global, and very profitable industry that’s fueled by human trafficking is now devoted to creating those “right circumstances,” and soon, artificial intelligence will be a large part of their playbook.

I often point out that every one of my stories involves touchpoints with multiple technology companies which enable these crimes.  The victim is first contacted by Facebook messenger via an affiliate group; the conversation escalates on WhatsApp; the fake customer service number ranks high on Google; the money is sent through cryptocurrency.  You get the idea.  Tech companies can and must do more to uncover criminal tactics and at least not make things so easy for the bad guys.  Some firms don’t have a great track record of this. Meta is very, very slow to take down impersonation accounts that are used for ongoing crimes, for example.

So I’m glad to throw some flowers at Google today. One technique a criminal can use is to call a victim, engage them in conversation (“We’re from your Internet provider and your modem has been hacked!”) and then walk them through sideloading a malicious app on their phone.  Google’s Android smartphone software (which I prefer) has always been more dangerous than Apple’s software because Android is a more open system. So disabling the sideloading of apps during a phone call is a good step; it’s hard to imagine a need for that capability.  Naturally, a criminal could tell a victim to hang up, install the software, and then call back. But as Android Central put it, adding this speed bump will certainly help a little, and it might help a lot. AARP research has shown that any conversation with a third party can stop a scam in its tracks, so the hang-up-and-call-back friction might create a moment for such conversations. It won’t hurt, anyway.

I’d love to see more engineers step up and add speedbumps that are designed to frustrate criminals.  If you have any ideas, I’m all ears. And I’ve got more flowers to throw!

Despite advances in cybersecurity technologies, including artificial Intelligence (AI), organizations continue to find it difficult to detect and prevent ransomware attacks.

Research conducted by The Ponemon Institute and sponsored by Illumio, Inc. has found that eighty-eight percent of organizations experienced one or more ransomware attacks in the past three months to more than 12 months. According to the research, based on the hours and practitioners involved organizations spent an average of $146,685 to contain and remediate the largest ransomware attack experienced. In 2021, the average cost was slightly higher at $168,910.

An on-demand Webinar with many more details
on the research is available for free at Illumio’s website. 

The purpose of this research is to learn the extent of the ransomware threats facing organizations and the steps being taken to mitigate the risks and their consequences. Ponemon Institute surveyed 2,547 IT and cybersecurity practitioners in the U.S. (578), U.K. (424), Germany (516), France (471), Australia (256) and Japan (302) who are responsible for addressing ransomware attacks.

In addition to the 2024 findings, the report also presents research from a ransomware study Ponemon Institute conducted in 2021 and published in 2022. A comparison of the studies reveals changes in ransomware risks and the practices used to reduce the threats in the past three years. Since 2021, while the perception that their organization is a target of ransomware has declined from 68 percent to 54 percent of respondents, the consequences of a ransomware attack such as downtime, loss of significant revenue and brand damage has increased.

“Ransomware is more pervasive and impactful than ever, with more organizations forced to suspend operations or experiencing major business failure because of attacks,” said Trevor Dearing, Director of Critical Infrastructure at Illumio. “Organizations need operational resilience and controls like microsegmentation that stop attackers from reaching critical systems. By containing attacks at the point of entry, organizations can protect critical systems and data, and save millions in downtime, lost business, and reputational damage.”

Since 2021 organizations have become more vulnerable to the risks of ransomware because of AI-generated attacks and unrestricted lateral movement in cybersecurity.

AI-generated attacks refer to cyber threats that leverage AI to deceive and compromise individuals, organizations and systems. These attacks are becoming increasingly sophisticated, imitating the language and style of legitimate emails to trick users into letting the ransomware in. Other attacks use AI to improve the ransomware’s performance or automate some aspects of the attack path. Fifty-one percent of respondents say their organizations are highly or extremely concerned that their organizations may experience such an attack.

Lateral movement refers to methods cyber criminals use to explore a compromised network to find vulnerabilities, escalate access privileges and reach their ultimate target. It is called lateral movement because of the way the attacker moves sideways from device to device, a hallmark of most successful ransomware attacks.

According to the findings, since 2021 unpatched systems have become increasingly vulnerable to being exploited by attackers moving laterally. Fifty-two percent of respondents in this year’s research say unpatched systems are targeted for lateral movement, an increase from 33 percent of respondents in 2021. Targeting cached credentials increased from 42 percent of respondents in 2021 to 48 percent of respondents in 2024.

The following findings highlight organizations’ efforts to mitigate ransomware attacks.

Organizations are slow to adopt AI to combat ransomware. Although AI is considered helpful for reducing ransomware attacks by increasing overall SecOps efficiency and detecting ransomware activity within the environment, only 42 percent of respondents say their organizations have specifically adopted AI to help combat ransomware.

Since 2021 more organizations believe their security controls will protect them from ransomware attacks. Confidence in mitigating a variety of ransomware risks has increased significantly, especially with respect to their current security controls (32 percent of respondents in 2021 vs. 54 percent of respondents in 2024). Multi-factor authentication and automated patching/updates are the top two technologies used to combat ransomware, 37 percent and 36 percent of respondents, respectively. Only 27 percent of respondents say their organizations use segmentation/microsegmentation.

Since 2021, more organizations are assigning responsibility for stopping ransomware attacks to one organizational function. Ninety-two percent of respondents say one person or function is most responsible for addressing the threat of ransomware. The most responsible are the CISO (21 percent of respondents) or the CIO/CTO (21 percent of respondents). In 2021, 82 percent of respondents said one person or function was most responsible.

To prevent ransomware attacks, organizations should secure the cloud and endpoints. Forty-nine percent of respondents say the cloud is most vulnerable in a ransomware attack followed by the endpoint, at 45 percent of respondents. Desktops/laptops continue to be the devices most often compromised by criminals.

Phishing continues to be the most common way ransomware is delivered. Phishing and Remote Desktop Protocol (RDP) compromises continue to be the primary methods used to unleash ransomware. Ransomware is typically spread through emails that contain links to malicious web pages or attachments. Infection can also occur when a user visits an infected website and malware is downloaded without the user’s knowledge. RDP is one of the main protocols used for remote desktop sessions.

Insider negligence can delay an effective response to ransomware and increase the negative consequences. To improve prevention and reduce the time it takes to respond, organizations should address negligent user behavior and the lack of security awareness. Training programs should focus on how users can make better decisions about the content they receive through email, what they view or click in social media, how they access the web and other common practices. Because no cybersecurity control can prevent every attack, containment and response strategies ware equally critical.

Forty-four percent of respondents say their organizations are not prepared to quickly identify and contain the ransomware attack. This indicates the importance of having incident response plans, skilled respondents and key controls to stop an attack from spreading.

Ransomware attacks can reduce revenues due to downtime, lost customers and brand damage. Since 2021, organizations that had to shut down to recover from the attack increased from 45 percent to 58 percent in 2024. Respondents that report a loss of significant revenue increased from 22 percent of respondents to 40 percent of respondents.

Since 2021, more organizations are reporting that brand damage was a consequence of the ransomware attack (an increase from 21 percent to 35 percent of respondents). The findings also reveal that recovering from damage to brand can cost organizations the most following a ransomware attack. In 2021, the highest cost was due to legal and regulatory actions.

Part 2. Key findings

In this section of the report, we provide an analysis of the research. Whenever possible, we present the findings from the 2021 study to show three-year trends in ransomware threats and risks.  The complete audited findings are presented in the Appendix of this report. We have organized the report according to the following topics.

• The ransomware security gap
• Anatomy of a ransomware attack
• The response to ransomware demands
• Country differences

The ransomware security gap

Fewer organizations pay the ransom. Since 2021, more respondents say their organizations will never pay the ransom even if it means losing data, an increase from 43 percent of respondents to 51 percent of respondents. In an October 2, 2019 Public Service Announcement (PSA), the FBI urges victims not to pay the ransom. According to the PSA, the payment of the ransom does not guarantee that the exfiltrated data will be returned, as shown in this research. The FBI also warns that paying might embolden attackers to target other victims.

Other trends are the decline in the belief that their organizations are targeted, (54 percent of respondents in 2024 vs 68 percent of respondents in 2021). A little more than half of respondents continue to say prevention of ransomware is a high priority.

To read the rest of this study, visit Illumio’s website. 

Bob Sullivan

Are European companies on the brink of another potentially crippling data border dispute with the U.S.? I’ve spent a lot of time in Ireland recently, so I’m acutely sensitive to the possibility.

As tech companies here try to position themselves for Trump 2.0, downstream impacts from the new presidents’ flurry of executive orders and sackings are quickly being digested. But one issue stands out: the ability of US firms to operate with EU data is, once again, threatened.  At worst, the issue could potentially cause EU schools and businesses to stop working immediately with US cloud providers like Google and Amazon, with potentially catastrophic results.

As history shows, that worst-case scenario is likely to be avoided, but yet again, the tenuous nature of international privacy agreements between the U.S. and its largest trading partner has been betrayed.

To review, E.U. citizens enjoy fundamental privacy rights not granted to U.S. citizens, in part because Congress has yet to pass a federal privacy law.  Back in 1998, the EU mandated that data on its citizens cannot be exported outside the nation unless it is treated with EU-level care and its citizens are guaranteed EU-level privacy protections.  This seeming impossible stalemate has never really been permanently resolved, but it has been papered over several times by “agreements.” The first such deal was called “Safe Harbor” back in 2000. It was declared invalid by an EU court in 2015, and then replaced by “Privacy Shield,” declared invalid in 2020.  That was replaced two years later by the Transatlantic Data Privacy Framework, which stands today. Maybe.

This week, new President Donald Trump required all Democrat members of an organization called the Privacy and Civil Liberties Oversight Board to resign, a not-unexpected step. But that leaves the board with only one member, rendering it essentially non-functional. That’s important because the Transatlantic Data Privacy Framework rests on the ability of this “independent” civil liberties board to deal with complaints by EU citizens about data mistreatment.  Legal scholars worry the board’s demise could mean demise of this latest data-sharing agreement.

In reality, the “court” established to hear such EU citizens’ dispute has yet to adjudicate a single case, according to one of its lawyers.  So the Great Atlantic Data Firewall is likely not as immanent as some suggest; we’ve been on this brink many times before.

However, the executive order which President Biden signed initiating the entire Transatlantic Data Privacy Framework is due to be reviewed by the Trump administration within 45 days and it’s easy to see that baby being tossed with the bath water.  Then, real questions about a potential data-sharing wall arising over the Atlantic Ocean could be raised.

Perhaps, as Max Shrems suggests, it’s time to find a more permanent solution to this thorny problem?   The best way to understand all that’s going on is to head over to NOYB.eu and read Schrems’ thoughts on the situation.

The purpose of this research is to determine how effective the financial services industry is in managing the certificate lifecycle, PKI and securing the software supply chain. As shown in this research, 62 percent of respondents say their organizations experienced one or more outages or security incidents due to an issue with digital certificates that resulted in diminished service quality or availability. Forty-eight percent of respondents say their organizations have been impacted by one or more software supply chain attacks or exploits in the past year. Some of the adverse consequences included putting customers at risk due to a system compromise and prolonged disruption to operations.

Sponsored by DigiCert, Ponemon Institute surveyed 2,546 IT and IT security practitioners in the United States (507 respondents), the United Kingdom (295 respondents), Canada (272 respondents), DACH (Germany and Switzerland 363 respondents), France (361 respondents), Australia (237 respondents), Japan (252 respondents) and Singapore (259 respondents). Forty eight percent of respondents work in banking and 52 percent are in the insurance industry. All respondents are familiar with their organization’s PKI and involved in certificate lifecycle management (CLM). Ninety-six percent of respondents either have responsibility (47 percent) or share responsibility with others (49 percent) in setting and/or implementing their organizations’ software supply chain security strategy

Conducting inventories to identify every certificate is critical for crypto-agility and becoming quantum-ready. A key takeaway from the research is that more than half of respondents (51 percent) say their organizations are not taking an inventory to identify every certificate within the organization. Similarly, 51 percent of respondents do not know how many digital certificates, including private root or privately signed, their organizations have. Thirty-six percent of respondents agree, the most important feature of a CLM solution is the continuous discovery of public and internal certificates. Another 36 percent of respondents say lifecycle automation using standard and proprietary interfaces is another top two important feature.

The following research findings describe the current state of CLM, PKI and software supply chain security.

• Most organizations are in the dark about their certificate inventory and the kind of certificates they have. As discussed above, a key takeaway from the research is that more than half of respondents (51 percent) say their organizations are not taking an inventory to identify every certificate within the organization. Similarly, 51 percent of respondents do not know how many digital certificates, including private root or privately signed, their organizations have. Without this visibility, organizations are at risk because of unsecured certificates within their organization.
• A CLM solution must support multiple CAs to allow for redundancy and to accommodate the decentralized nature of PKI within enterprises. Thirty-three percent of respondents say support for multiple CAs is one of the most important features when choosing a CLM solution.
• Certificate outages are common mostly due to expirations or revocations, which can be solved by a CLM solution. Sixty-two percent of respondents say their organizations experienced one or more outages due to an issue with digital certificates. These outages were mainly due to expired certificates, revoked certificates and misconfigured certificates. These risks can be mitigated with an automated CLM system which streamlines the process of CLM through a variety of automated workflows done within a single platform.
• The most important feature of PKI solutions is the ability to consolidate management of public CA and private CA certificates. According to respondents, the most important feature when choosing a PKI, is a single vendor for public CA and private CA certificates (46 percent of respondents). Also important is scalability and performance (46 percent of respondents. The PKI technologies most often used are service provider/cloud provider managed private PKI (44 percent of respondents), internal private PKI (42 percent of respondents) and managed PKI service (e.g. SaaS PKI or PKI as a service) (29 percent of respondents)
• Digital certificates are also known as a public key certificate and used to cryptographically verify the ownership of a public key. Digital certificates are for sharing public keys to be used for encryption and authentication. According to the research, the most important use case for digital certificates is user authentication for WiFi, VPN or other network access (59 percent of respondents). Authenticating cloud workloads (55 percent of respondents) indicates progress in modernizing digital certificate security. Another important use case is digital signatures for electronic documents (54 percent of respondents).
• Software supply chain attacks are growing, primarily from security issues with open source software. Forty-eight percent of respondents say their organizations have been impacted by one or more software supply chain attacks in the past year. Most of these attacks were caused by malware, vulnerabilities or other threats in open source software. The two top consequences were customers at risk due to a system compromise and prolonged disruption to operations.

To read the full findings of this report, visit Digicert’s website.

Application Programming Interfaces (APIs) benefit organizations by connecting systems and data, driving innovation in the creation of new products and services and enabling personalized products and services. As organizations realize the benefits of APIs, they are aware of how vulnerable APIs are to exploitation. In fact, 61 percent of participants in this research believe the API risk will significantly increase (21 percent) or increase (40 percent) in the next 12 to 24 months.

As defined in the research, an API is a set of defined rules that enables different applications to communicate with each other. Organizations are increasingly using APIs to connect services and to transfer data, including sensitive medical, financial and personal data. As a result, the API attack surface has grown dramatically.

Sponsored by Traceable, the purpose of this research is to understand organizations’ awareness and approach to reducing API security risks. In this year’s study, Ponemon Institute surveyed 1,548 IT and IT security practitioners in the United States (649), the United Kingdom (451) and EMEA (448) who are knowledgeable about their organizations’ approach to API security.

Why APIs continue to be vulnerable to exploitation.  This year, 54 percent of respondents say APIs are a security risk because they expand the attack surface across all layers of the technology stack. It is now considered organizations’ largest attack surface. Because APIs expand the attack surface across all vectors it is possible to simply exploit an API and obtain access to sensitive data and not have to exploit to other solutions in the security stack. Before APIs, hackers would have to learn how to attack each one they were trying to get through, learning different attacks for different technologies at each layer of the stack.

Some 53 percent of respondents say traditional security solutions are not effective in distinguishing legitimate from fraudulent activity at the API layer. The increasing number and complexity of APIs makes it difficult to track how many APIs exist, where they are located and what they are doing.  As a result, 55 percent vs. 56 percent of respondents say the volume of APIs makes it difficult to prevent attacks.

The following findings illustrate the growing API crisis and what steps should be taken to improve API security 

• Organizations are having multiple data breaches caused by an API exploitation in the past two years, which result in financial and IP losses. These data breaches are likely to occur because on average only 38 percent of APIs are continually tested for vulnerabilities. As a result, organizations are only confident in preventing an average of 24 percent of attacks. To prevent API compromises, APIs should be monitored for risky traffic performance and errors. 

• Targeted DDoS attacks continue to be the primary root cause of the data breaches caused by an API exploitation. Another root cause is fraud, abuse and misuse. When asked to rate the seriousness of fraud attacks, almost half of respondents (47 percent) say these attacks are very or highly serious. 

• Organizations have a very difficult time discovering and inventorying all APIs and as a result they do not know the extent of risks to their APIs. Many APIs are being created and updated so organizations can quickly lose control of the numerous types of APIs used and provided. Once all APIs are discovered it is important to have an inventory that provides visibility into the nature and behavior of those APIs.

• According to the research, the areas that are most challenging to securing APIs and should be made a focus of any security strategy are preventing API sprawl, stopping the growth in API security vulnerabilities and prioritizing APIs for remediation.

• Third-party APIs expose organizations to cybersecurity risks. In this year’s research, an average of 131 third parties are connected to organizations’ APIs. Recommendations to mitigate third-party API risk include creating an inventory of third-party APIs, performing risk assessments and due diligence and establishing ongoing monitoring and testing. Third-party APIs should also be continuously analyzed for misconfiguration and vulnerabilities.

• To prevent API exploitations, organizations need to make identifying API endpoints that handle sensitive data without appropriate authentication more of a priority. An API endpoint is a specific location within an API that accepts requests and sends back responses. It’s a way for different systems and applications to communicate with each other, by sending and receiving information and instructions via the endpoint.

• Bad bots impact the security of APIs. A bot is a software program that operates on the Internet and performs repetitive tasks. While some bot traffic is from good bots, bad bots can have a huge negative impact on APIs. Fifty-three percent of respondents say their organizations experienced one or more bot attacks involving APIs. The security solutions most often used to reduce the risk from bot attacks are web application firewalls, content delivery network deployment and active traffic monitoring on an API endpoint.

Generative AI and API security 

• Generative artificial intelligence is being adopted by many organizations for its many benefits such as in business intelligence, content development and coding. In this research, 67 percent of respondents say their organizations have currently adopted (21 percent), in the process of adopting (30 percent) or plan to adopt generative AI in the next year (16 percent). As organizations embrace generative AI they should also be aware of the security risks that negatively affect APIs.

• The top concerns about how generative AI applications affect API security are the increased attack surface due to additional API integrations, unauthorized access to sensitive data, potential data leakage through API calls to generative AI services and difficulty in monitoring and analyzing traffic to and from generative AI APIs.

• The main challenges in securing APIs used by generative AI applications are the rapid pace of generative AI technology development, lack of in-house expertise in generative AI and API security and the lack of established best practices for securing generative AI API.

• The top priorities for securing APIs used by generative AI applications are real-time monitoring and analysis of traffic to and from generative AI APIs, implementing strong authentication and authorization for generative AI API calls and comprehensive discovery and cataloging of generative AI API integrations.

• Organizations invest in API security for generative AI-based applications and APIs to be able to identify and block sensitive data flows to generative AI APIs and safeguard critical data assets, improve efficiency of technologies and staff and real time monitoring and analysis of traffic to and from LLM APIs to quickly detect and respond to emerging threats.

To read key findings in this report, visit the Traceable.com website.

Bob Sullivan

Facebook publicly acknowledged recently that it’s engaged in a massive struggle with online crime gangs who abuse the service and steal from consumers worldwide. In a blog post, the firm said it had removed two million accounts just this year that had been linked to crime gangs, and was fighting on fronts across the world, including places like Myanmar, Laos, Cambodia, the United Arab Emirates and the Philippines. But in a nod to how difficult the fight is, the firm acknowledged it needs help.

“We know that these are extremely persistent and well-resourced criminal organizations working to evolve their tactics and evade detection, including by law enforcement,” the firm wrote. “We’ve seen them operate across borders with little deterrence and across many internet platforms in an attempt to ensure that any one company or country has only a narrow view into the full picture of scam operations. This makes collaboration within industries and countries even more critical.”

I’ve been writing about the size and scope of scam operations for years, but lately, I’ve tried to ring the alarm bell about just how massive these crime gangs have become (See, “They’re finding dead bodies outside call centers).  If you haven’t heard about a tragic victim in your circle of friends recently, I’m afraid you will soon.  There will be millions of victims and perhaps $1 trillion in losses by the time we count them all..and behind each one, you’ll find a shattered life.

Facebook’s post focused on a crime that is commonly called “pig butchering” — a term I shun and will not use again because it is so demeaning to victims. Often, the crime involves the long-term seduction of a victim, followed by an eventual invitation to invest in a made-up asset like cryptocurrency.  The scams are so elaborate that they include real-sounding firms, with real-looking account statements. They can stretch well into a year or two.  Behind the scenes, an army of criminals works together to keep up the relationship and to manufacture these realistic elements. As I’ve described elsewhere, hundreds of thousands of these criminals are themselves victims, conscripted into scam compounds via some form of human trafficking.

Many victims don’t find out what’s going on until they’ve sent much of their retirement savings to the crime gang.

“Today, for the first time, we are sharing our approach to countering the cross-border criminal organizations behind forced-labor scam compounds under our Dangerous Organizations and Individuals (DOI) and safety policies,” Facebook said. “We hope that sharing our insights will help inform our industry’s defenses so we can collectively help protect people from criminal scammers.”

It’s a great development that Facebook is sharing its behind-the-scenes work to combat this crime. But the firm can and must do more. Its private message service is often a critical tool for criminals to ensure victims; its platform full of “friendly” strangers in affinity groups is essential for victim grooming.  It would be unfair to say Facebook is to blame for these crimes; but I also know no one works there who wants to go home at night thinking the tool they’ve built is being used to ruin thousands of lives.

How could Facebook do more? One version of the scam begins with the hijacking of a legitimate account that already enjoys trust relationships.  In one typical fact pattern, a good-looking soldier’s account is stolen, and then used to flirt with users.  The pictures and service records are often a powerful asset for criminals trying to seduce victims.

Victims who’ve had their accounts hijacked say it can take months to recover their accounts, or to even get the service to take down their profiles being used for scams. As I’ve written before, when a victim tells Facebook that an account is actively being used to steal from its members, it’s hard to understand why the firm would be slow to investigate.  Poor customer service is our most serious cyber vulnerability.

In another blog post from last month, Facebook said it has begun testing better ways to restore hijacked accounts.  That’s good, too. But I’m here to tell you the new method the firm says it’s using — uploaded video selfies — has been in use for at least two years.  You might remember my experience using it. So, what’s the holdup? If we are in the middle of an international conflict with crime gangs stealing hundreds of millions of dollars, you’d think such a tool would be farther along by now.

Still, I take the publication of today’s post — in which Facebook acknowledges the problem — as a very positive first step.  I’d hope other tech companies will follow suit, and will also cooperate with the firm’s ideas around information sharing.  Meta, Facebook’s parent, is uniquely positioned to stop online crime gangs; its ample resources should be a match even for these massive crime gangs.

Keeping enterprise and customer data secure, private, and uncorrupted has never been more important to running a business. Data is the great asset in our information-driven world and keeping it secure can allow your organization to maintain a healthy operation and reduce operational, financial, legal, and reputational risk.

This report is to understand how organizations are approaching Identity and Access Management (IAM), to what extent they are adopting leading security practices, and how well they are mitigating identity security threats. Sponsored by Converge Technology Solutions, Ponemon Institute surveyed 571 IT and IT security practitioners in the US to hear what they are currently practicing in IAM.

Keeping information safe has gotten more complex as technology has advanced, the number of users has grown, and the devices and access points they use have proliferated beyond the walls of the enterprise. Attackers see their opportunities everywhere.

Threat actors have also changed. It’s no longer the “lone wolf” hacker that is the threat, but now organized criminal organizations and bad-actor nation states are a constant threat to our data security. They have more sophisticated tools, expanding compute power, and AI. They’ve also had decades to hone their methods and are innovating daily.

Not a week goes by without a new data breach hitting the news cycle. A single successful attack can be painfully expensive. In the United States the average cost per data breach was $9.48 million in 2023. And this is just the financial impact which may not include reputational harm, loss of customers and other hidden costs.

Surprisingly, stolen or compromised credentials are still the most common cause of a data breach. While there is an entire industry devoted to identifying and remediating breaches as or after they happen, the best defense is to prevent credential theft in the first place.

At the heart of prevention are the practices of Identity and Access Management or IAM. IAM ensures that only trusted users are accessing sensitive data, that usernames and passwords aren’t leaked or breached, and that the enterprise knows precisely who, where and when their systems are being accessed. Keeping the bad guys from stealing credentials severely limits their ability to cause harm. Good IAM and awareness training does that.

The State of the Art of IAM

Like all technology practices, IAM has evolved over the years to become more sophisticated and robust as new techniques have been developed in keeping data and systems secure. Organizational adoption and enforcement vary greatly.

While some advanced businesses are already using endpoint privileged management and biometrics, there are still organizations with policies loose enough that using a pet’s name with a rotating digit as a password is still possible or credentials are on sticky notes stuck to employee monitors.

For most companies, it all begins with the basics of authentication. If you’re only using username and password, it is no longer enough authentication for your “primary” login for mission-critical systems. In legacy systems, where sophistication beyond usernames and passwords are not available, best practices must be taught and enforced rigorously. Practices such as very long passwords or passphrases and checking passwords against a blacklist must be put in place. These password basics are a starting point that many, many users still don’t universally adhere to.

The next critical step is adding Multi-Factor Authentication (MFA). Many cyberattacks are initiated by phishing where credentials and personal information are obtained from susceptible users. Others are brute force attacks where the password is eventually guessed. Using MFA introduces a second level of authentication that isn’t password-based to thwart attackers who may have discovered the right password. If your organization hasn’t yet implemented MFA, it is past time to act. This additional layer of security can dramatically reduce the risk of credential compromise.

If you’ve already deployed basic MFA, the next logical steps include Adaptive Authentication or Risk Based Authentication. This technique adds intelligence to the authentication flow to provide strong security but reduces a bit of the friction by creating authentication requirements based on the risk and sensitivity of each specific request rather than using the same MFA prompt every time. This reduces MFA response fatigue for end users.

On the leading edge, organizations may choose to forgo using passwords altogether and go passwordless to nearly eliminate the risk of phishing attacks. This method uses passkeys that may leverage biometrics (e.g., fingerprint, retina scan), hardware devices or PINs with cryptographic key pairs assigned and integrated into the access devices themselves.

A layer on top of these methods is Identity Threat Detection and Response (ITDR). This technology gathers signals across the ecosystem to automatically deal with a credential breach (or risk of one) as they happen to limit lateral movement. ITDR uses analytics and AI to monitor access points and authentication and identify anomalies that may represent possible attacks to force re-authentication or terminate sessions before further damage can be done. These systems have sophisticated reporting and analytics to identify areas of risk across the environment.

Regulatory Compliance: Identity Governance and Administration (IGA)

Regulatory non-compliance is another risk of failed IAM. Since regulations such as GDPR (General Data Protection Regulation), SOX (Sarbanes-Oxley), and HIPAA (Health Insurance Portability and Accountability Act) all set standards for data privacy, it is imperative that organizations identify, approve, and monitor access to critical data and systems.

The authoritative source of identity information for most organizations should be their HR system(s). A properly configured IGA solution utilizes this authoritative source as the starting point for determining access to an organization’s critical systems based upon the person’s role.

Beyond providing access, a viable IGA solution should also allow you catalog and attest to user entitlements associated with mission critical systems and systems with regulated data to create an audit trail. Periodic reviews of access (e.g., quarterly, annually) in addition to Separation of Duty (SoD) policies and event driven micro-reviews should be part of an IGA solution to ensure that compliance requirements are continually met.

Another avenue that is often exploited is over-privileged user accounts, where a user has access to data or systems that they don’t need, creating unneeded risks. User accounts can gain too much privilege in many ways, such as the retention of past privileges as individuals’ roles within the organization change. By managing lifecycle events with an IGA solution, organizations can minimize the risks of overprivileged accounts being compromised.

IGA solutions can enforce a policy of “least privileged access” where users are only assigned the necessary privileges to perform the duties required of them. This approach combined with SoD policy enforcement can help to greatly reduce your data security risk profile.

Similarly, Role Based Access Control (RBAC) can be a valuable methodology for managing the evolving access requirements of an organization. RBAC associates the required access based on the role an employee plays within the organization instead of using mirrored account privileges, thereby limiting the scope of what they can access to what is necessary. RBAC can greatly reduce the timeline necessary to roll-out large changes to systems and data thus allowing your organization to adapt quickly to the market and new requirements.

In addition to improving security, an IGA solution should also make life easier for users and administrators. An integrated IGA solution can take time- and labor-intensive manual provisioning operations and move them to automated request and fulfillment processes. The IGA solution not only performs the actions faster than manual provisioning activities, but it also ensures that the right resource is granted to the right person with the right approvals at the right time.

Privileged Access Management (PAM): The Rise of Enterprise Password Vaults

PAM systems control access and passwords to highly sensitive data and systems, such as those controlled by IT to access root systems, administrator access, command-line access on vital servers, machine user IDs or other applications where a breach could put the entire IT footprint in jeopardy. The key component of a PAM system is an enterprise password vault that monitors access activity on highly sensitive accounts.

The password vault does more than just safely store passwords. It updates them, rotates them, disposes of them, tracks their usage and more. Users “borrow” privileged accounts temporarily for time-bound sessions, creating an abstraction between the person’s typical user account and the privileged account, minimizing the potential for privileged account credential compromise. Once a vault is established, the next level is to automatically rotate the passwords after they are borrowed. This ensures that nobody but the current user knows the password for a temporary timeframe.

For highly regulated systems with extremely sensitive data, like found in healthcare and finance, security can go one step further and automatically proxy the privileged session so that even the admin doesn’t even know the username and password to use it. These sessions can also be recorded for forensic evidence of the work performed under privilege to provide auditability.

Privileged Identity Management (PIM) is another approach based upon the concept of zero standing privileges that can work in conjunction with traditional PAM. This is a “just-in-time” temporary enrollment into privileged access and their subsequent removal after use. In PIM, each session is provisioned, subject to approval, based on the requester’s justification for needing access. Sessions are time-bound and an audit history is recorded. This ensures that the most sensitive systems are extremely difficult to hack.

Adoption and Use are Key to IAM

IAM best practices and new technologies don’t work if they are not fully implemented to understand the current prevalence, adoption and impact of IAM practices, Converge Technology Solutions sponsored the Ponemon Institute to study and understand organizations’ approach to IAM and how they are working to mitigate security threats targeting their user credentials, sensitive information, and confidential data.

Ponemon Institute surveyed 571 IT and IT security practitioners in the US who are involved their organizations’ IAM program. The top three areas of respondents’ involvement are evaluating IAM effectiveness (51 percent of respondents), mitigating IAM security risk (46 percent of respondents) and selecting IAM vendors and contractors (46 percent of respondents).

The key takeaway from this research is how vulnerable organizations’ identities are to attacks. While organizations seem to know they need to improve the security posture of their IAM practices, they are not moving at the necessary speed to thwart the attackers. According to the research, organizations are slow to adopt processes and technologies that could strengthen the security posture of IAM programs.

Only 20 percent of respondents say their organizations have fully adopted zero trust. Only 24 percent of respondents say their organizations have fully implemented passwordless authentication, which uses more secure alternatives like possession factors, one-time passwords, register smartphones, or biometrics.

Following are research findings that reveal the state of IAM insecurity.

Less than half of organizations represented in this research are prepared to protect identities and prevent unauthorized access. Only 45 percent of respondents say their organizations are prepared to protect identities when attackers have AI capabilities. Less than half (49 percent) use risk-based authentication to prevent unauthorized access and only 37 percent of respondents say their organizations use AI security technology to continuously monitor authenticated user sessions to prevent unauthorized access.

Organizations lack the ability to respond quickly to next-generation attacks. Forty-six percent of respondents say if a threat actor used a stolen credential to log in to their organization, it could take 1 day to 1 week (18 percent), more than 1 week (28 percent) to detect the incident. Eight percent of respondents say they would not be able to detect the incident.

IAM security is not a priority. As evidence, only 45 percent of respondents say their organizations have an established or formal IAM program, steering committee and/or internally defined strategy and only 46 percent of respondents say IAM programs compared to other security initiatives are a high or very high priority.

IAM platforms are not viewed by many organizations as effective. Only 46 percent of respondents say their IAM platform(s) are very or highly effective for user access provisioning, lifecycle and termination. Only 44 percent of respondents rate their IAM platform(s) for authentication and authorization as very or highly effective. Similarly, only 45 percent of organizations that have a dedicated PAM platform say it is very or highly effective.

More organizations need to implement MFA as part of their IAM strategy. Thirty percent of respondents say their organizations have not implemented MFA. Only 25 percent of respondents say their organizations have applied MFA to both customer and workforce accounts.

Few organizations have fully integrated IAM with other technologies such as SIEM. Only 30 percent of respondents say IAM is fully integrated with other technologies and another 30 percent of respondents say IAM is not integrated with other technologies. Only 20 percent of respondents say practices to prevent unauthorized usage are integrated with the IAM identity governance platform.

As evidence that IAM security is not a priority for many organizations, many practices to prevent unauthorized usage are ad hoc and not integrated with the IAM platform. To perform periodic access review/attestation/certification of user accounts and entitlements, 31 percent of respondents say they use custom in-house build workflows, 23 percent say the process is manual using spreadsheets, and 20 percent of respondents say it is executed through IAM identity governance platform. Twenty-six percent of respondents say no access/review/attestation/certification performed.

Organizations favor investing in improving end-user experience. Improved user experience (48 percent of respondents) is the number one driver for IAM investment.  Forty percent of respondents say the constant changes to the organization due to corporate reorganizations, downsizing and financial distress is a reason to invest.

To read the rest of the findings in this report, visit the Converge Technology Solutions website. 

Bob Sullivan

I’ve been saying for a while that the two halves of my journalism career — consumer protection and cybersecurity — are merging together.  I will tell anyone who listens that poor customer service is our greatest cybersecurity vulnerability. Consumers often trust criminals more than the institutions designed to protect them. and when you listen to some customer service interactions, that’s not as surprising as it sounds.

So this month, I’m sharing a story we covered on The Perfect Scam podcast, which I host for AARP.  It makes clear that the consequences of unpatched vulnerabilities, including inadequate customer service, can be deadly. On the other hand, I want those of you who work to protect people to hear this story as a reminder that what you do is incredibly important and valuable and….sometimes a matter of life or death.  Keep that in mind on the hard days.

This month, we interviewed an adult daughter and son whose father took his own life after becoming embroiled in a crypto/romance scam.

“When he had to accept that this is a world where this happened, he was no longer able to be in this world,” his daughter told me.

As I interviewed Dennis’ children, I really connected with him. He was a single dad; he encouraged his son to join multiple rock bands (even when they were terrible, I was told). Dennis even spent years photographing his son making music.  And today, he’s a successful musician. Dennis spent summers at the lake in Minnesota with his daughter and her kids.

He was a great guy who wanted one more bit of love, affection, excitement, and purpose in his life. He thought he’d found that with Jessica, and with crypto. He wasn’t looking to get rich. He was looking to leave something for his family.

Instead, every dollar he had saved to that point in his life was stolen. And when the very last dollar was gone, the criminals talked him through opening up an LLC so he could borrow more money, which they stole.  Even after the kids lovingly stepped in, and dad was persuaded he’d been defrauded, he still believed in Jessica. He figured she was a victim, too.  And whoever Jessica was, Dennis was probably right. As we’ve chronicled before, many scam callers are victims of human trafficking, forced to steal money online against their will.

And when Dennis just couldn’t wrap his head around everything that had happened, he ended his life.

“I heard a story of someone in a book, and the way it was talked about in that story was knowing that he took his own life, but also feeling like he was killed by a crime,” his daughter told me.

(This story and accompanying podcast include extensive discussion of suicide. If you or someone you love is in crisis, call 9-8-8, a free hotline staffed by professionals who can provide immediate help.)

Readers of my newsletter know this is not the first time I’ve talked about the scam/suicide connection. Last year we told the story of Kathy Book, who survived a suicide attempt and bravely talked with me about her experience. The stakes for scams have risen so much in the past couple of years, even since I started working on The Perfect Scam. I’m hardly the only one who thinks so. 

Also, please don’t be fooled into thinking this malady impacts only the elderly. Everyone can be a victim under the right circumstances. The pain, fear and shame of being a victim have driven many to contemplate self-harm, often with tragic results. Teenagers.  Women.  Anyone. 

Look, nobody wants to have this conversation.  I will be eternally grateful to Laura and Matt for speaking to me about their father — all because they want to help others. I can’t imagine how difficult that was for them, and what a gift it is to the rest of us. I can assure you I don’t want to talk with any more family members about their loved ones’ pain, suffering, and suicide.  And I know I sound like a broken record when I talk about scams being more sophisticated, more prevalent, and more dangerous.  But please, talk with one person you love about the dangers posed by crypto, and online dating, and online job hunting, and even online games. Tell them the Internet is full of liars who know how to say something to stir their our and make us click on something we’d “never” click on, or do something we’d “never” do.  It’s ok to repeat yourself.

But most of all, be a person that can be talked to under any circumstances. Cultivate a non-judgemental, open spirit so they know you can be trusted. Tell them that no matter how bad things might suddenly seem — an IRS audit, an arrest warrant, accusations of child pornography — they can always talk with you, there’s always another way.

If you’d like,  listen to this week’s episode, Suicide After a Scam: One Family’s Story.  Especially if you still have that nagging feeling like, “This could never happen to me or anyone I know.”