In an era marked by increasing digital connectivity, the threat of data breaches and cyberattacks looms larger than ever. As businesses strive to innovate and transform, safeguarding sensitive information and identities becomes paramount. To delve into the intricacies of this complex landscape, we spoke with David Hope, Senior Vice President for Asia Pacific & Japan at ForgeRock, a leading digital identity management company.
Drawing insights from the ForgeRock 2023 Breach Report, Hope provides valuable perspectives on emerging trends, best practices, and innovative solutions to combat the evolving cyber threat landscape.
Based on the ForgeRock 2023 Breach Report, data breaches and third-party breaches are on the rise. Can you share some insights into how organisations can better protect themselves from these threats, especially when connecting and sharing data with partners and vendors?
Although the 2023 ForgeRock Identity Breach Report found that the number of breaches reported was the lowest it has been in five years, organisations still need to protect themselves against evolving threat tactics given that breaches still contain sensitive identity information that can be used by cyber attackers for long term damage. Organisations can better protect themselves by:
- Secure your organisation’s workforce identities: Implementing single sign-on (SSO) and passwordless MFA to all internal and external systems and services, along with solid identity governance practices, can help secure organisations against unauthorised access.
- Combat AI-powered threats with AI: AI-driven capabilities can help enterprises quickly identify and stop threats at massive scale and reduce the risk of unauthorised access. Smarter protection through AI empowers IT admins to make intelligent decisions more quickly, and with a higher degree of confidence, which leads to lower deployment costs and easier integration.
- Reduce reliance on passwords: Organisations underestimate the risks associated with weak passwords protecting legacy enterprise infrastructure. To combat the evolving threat landscape, enterprises will need to adopt more agile and effective security practices. At a minimum, these include stronger authentication and strong customer authentication (SCA) workflows, increased adoption of biometrics, and most importantly, passwordless authentication solutions.
- Implement a Zero Trust framework: This approach ensures that every user, device, and API connects to every application securely, with layered intelligence and step-up authentication. Zero Trust is mandated in the U.S. federal government, but every industry and region worldwide can benefit from implementing its practices.
- Thoroughly vet your third-party service providers: Before onboarding a third-party service provider, conduct a risk assessment of their data protection policies, security controls, and incident response capabilities. Inform them of your security requirements regarding data protection, access management, and incident reporting, and review these regularly.
The report highlights the rise in stolen identity data, which can lead to ongoing fraud. How can businesses effectively safeguard sensitive information like Social Security Numbers and protected health information in the face of these threats?
As cybersecurity regulations become stricter, data breaches hold potential legal and economic repercussions. Collecting too much data can thus increase business risks for enterprises. Enterprises should adopt a data minimisation policy and look at new security techniques to protect social security numbers (SSNs) and protected health information. The traditional password and username approach is no longer enough to properly protect such valuable information. Implementing multi-factor authentication (MFA), passwordless authentication, and zero-trust architecture ensures users experience a high level of security while mitigating risk and reducing opportunities for malicious actors to capture patient medical records.
One of the significant trends mentioned is the impact of third-party breaches. Could you elaborate on how attackers exploit weak security controls to infiltrate organisations in a vendor’s ecosystem? And what steps can businesses take to strengthen their security measures in such scenarios?
With the accelerated growth of phishing, malware, and ransomware attacks, compromised credentials, and password-based attacks, organisations underestimate the risks associated with weak passwords protecting legacy enterprise infrastructure. Once access to an online account or service is obtained, cyberattackers can use it as a stepping stone to infiltrate an organisation, which impacts that company’s employees, partners and customers.
As such, it’s important to thoroughly vent vendors to ensure they understand your organisation’s security policies and processes that should include:
- Conduct a risk assessment of their data protection policies, security controls, and incident response capabilities.
- Ensure the vendor understands your security requirements regarding data protection, access management, and incident reporting.
- Review requirements and policies regularly.
The ForgeRock Identity Breach Report points out variations in vulnerability and resilience across sectors. What factors contribute to some sectors successfully reducing breaches while others, like healthcare and education, are experiencing larger and expensive attacks?
Cybersecurity resilience varies between sectors due to a variety of factors. Over the past five years, certain industries have become more cyber-resilient than others. Notably, recent research found that healthcare was the most attractive target for cybercriminals, accounting for 36% of breaches in 2022. Most healthcare organisations rely heavily on electronic health records (EHRs) and store a massive amount of protected health information (PHI) in the cloud, making it a lucrative target for motivated criminals.
On the other hand, there are industries that are getting more cyber resilient over time. For instance, financial services, retail, and government sectors were more at risk five years ago, buthave become less of a target for criminal groups. Some of these successes, especially in financial services and retail, can be attributed to increasing mandates that require stronger authentication, embedded payment mechanisms, and other cybersecurity best practices.
With the increasing adoption of digital technology, data privacy concerns are escalating. How does ForgeRock address the challenges posed by cybersecurity threats like phishing scams, as mentioned in the report, particularly in Singapore, where they saw a 50% increase in 2022?
ForgeRock offers organisations in Singapore, and worldwide, the industry’s only end-to-end, AI-driven platform purpose-built for all identities and for any environment — on-prem, multi-cloud, or hybrid. The ForgeRock Identity Platform can scale to power Identity and Access Management (IAM) across the entire enterprise, including workforce, customers, workflows, devices, things. Combined with advanced AI capabilities, our solutions offer AI powered threat detection, contextual authentication and authorization, and passwordless authentication to help prevent fraud and enhance the end-user experience.
Today, our technology is used by more than a thousand organisations worldwide, including Mox Bank, Standard Chartered, Spark, Telekomsel, and DBS Bank, and we understand the APAC region very well. We’ve also made significant investments in the region over the last few years by doubling our headcount and opening two new cloud centres in Indonesia and Hong Kong.
As businesses continue to innovate and transform, could you shed some light on the role of effective identity governance practices like single sign-on (SSO) and passwordless multi-factor authentication (MFA) in ensuring organisations and their customers are safeguarded against potential data breaches?
Identity Governance and Administration (IGA) solutions address security challenges associated with the accelerated growth of the hybrid workforce, employee job changes, compliance and the increasing adoption of cloud-based applications and services. Identity-based attacks are the leading cause of breaches and IGA solutions go a long way in preventing successful attacks.
Practices like SSO and passwordless authentication replace traditional passwords with a more user-friendly, secure possession, ranging from tokens, certificates, authenticator apps, or biometrics. These can be combined for passwordless authentication that offers a higher level of security with improved user experience, making it even more difficult for cyberattackers to gain access to organisation’s employees and data.
In light of the report’s findings, how crucial is it for organisations to prioritise protecting their workforce end-user accounts? Are there any best practices that you would recommend for organisations to achieve this effectively?
The importance of protecting workforce end-user accounts — employees, contractors, and partners — cannot be overstated. Compromised end-user accounts are the leading cause of breaches and pave the way for unauthorised access and the potential exposure of sensitive data, including customer data, by threat actors. Implementing single sign-on (SSO), passwordless authentication solutions, and effective identity governance practices is vital to protecting workforces and safeguarding enterprises against data breaches.
The report mentions that attackers are increasingly seeking out vulnerabilities to perpetrate third-party breaches. In your opinion, what role do employees play in either mitigating or contributing to these risks? How can organisations ensure better awareness and training to combat this issue?
One of the most difficult aspects of protecting an enterprise is making sure all team members, encompassing employees and third-party service providers, understand the importance of maintaining security in their roles. Team members need to adopt a ‘security first’ mindset, and be aware of cybersecurity practices such as not opening unknown attachments or not responding to suspicious requests for credentials.
Some practical steps that enterprises can take to protect themselves include:
- Adopting a zero trust policy. No person or device inside or outside of an organisation’s network should be granted access to connect to systems until authenticated and continuously verified.
- Building strong policies and procedures. Practise good cyber hygiene by patching operating systems and applications, backing up data, updating and whitelisting applications, limiting privileges, implementing MFA, understanding what technologies and software assets are in use, and rotating system passwords where needed.
- Continuous education of the workforce. Recognise that humans are often the weakest link in any security strategy, and regularly educate and test employees to ensure they have a strong understanding of cyber risk, and their roles in minimising it.
Considering the evolving threat landscape, what innovations or advancements can we expect from ForgeRock in terms of identity and access management solutions to address the challenges posed by data breaches?
We are investing in our vision for a world where you never log in again. Our aim will always stay the same, now and in the future – and that is to create identity experiences so simple and secure that identity recedes into the background completely, and customers become more secure than ever before – no longer worrying about fraudulent account takeovers or identity breaches.
Moving forward, we’re going to continue investing in our people, R&D, artificial intelligence, machine learning, cloud services and ForgeRock Identity Cloud, and global business development. We look forward to continuing to enhance our platform and provide enterprises with the tools to give their customers and stakeholders a safe and seamless experience.