Hackers exploit cyber weakness

Just who is the weakest link when it comes to cybersecurity? The unfortunate truth is that it’s you, me and all the other insiders who have been given official access to our organisation’s information.

Hackers know this, and systematically exploit the identities of authorised individuals to get inside our cyber defences.

Mark McClain, chief executive officer of identity governance software provider SailPoint, says the only way to stay ahead of these threats is to know you can confidently answer three important questions.

The questions are: Who has access to what? Who should have access? And how are they using that access?

‘‘To ensure security, organisations need to govern the access their users have to businesscritical applications and the data they need to do their jobs securely and efficiently,’’ McClain says.

‘‘By cracking just one user’s account, hackers could get access to everything that user has access to and nobody would be the wiser.

‘‘Why? Because, without proper visibility into that user account, it would look like a legitimate user was roaming the network.’’

Cyber breaches are a huge problem, one that is exploding as organisations accumulate masses of corporate and customer data in pursuit of digital transformation.

In response to growing privacy concerns, governments are responding with hefty fines under regimes such as the European Union’s General Data Protection Regulation (GDPR).

British Airways was fined $A329 million under the GDPR by the United Kingdom Information Commissioner’s Office (ICO) in early July for failing to stop hackers stealing the personal details of about 380,000 people (who booked flights in September 2018).

The ICO then slugged Marriott International $A178 million after records of as many as 500 million guests at its Starwood hotels were compromised by unauthorised access starting in 2014.

Australia is by no means immune to such risks. The Privacy Act 1988 regulates how government agencies and organisations with an annual turnover of more than $3 million, and some other organisations, handle personal information.

In March, federal Attorney-General Christian Porter announced plans to increase the maximum penalty for serious or repeated breaches of the act from $2.1 million to $10 million, or three times the value of any benefit obtained through the misuse of information, or 10 per cent of a company’s annual domestic turnover – whichever is the greater.

The government also plans to increase the Office of the Australian Information Commissioner’s (OAIC) powers, the body responsible for policing infringements. In the OAIC’s first full-year report, the office says it was notified of 964 privacy breaches in the 12 months to March 31. The OAIC says 60 per cent of the breaches were due primarily to malicious or criminal attacks, while 35 per cent were due to human error and 5 per cent to system errors. These figures do not map directly on to failures in cyber security, because they include non-cyber problems such as impersonation and the theft of paperwork. Even so, the OAIC says, 68 per cent of those malicious or criminal attacks were carried out by common cyber crime methods. And the most significant among these were phishing and the use of compromised or stolen credentials – techniques that exploit human traits such as trust and curiosity. The patterns suggest that even when a breach occurs because criminals come knocking, it’s often human error that opens the door. As the OAIC puts it: ‘‘Employees were centrally involved in most of the data breaches reported to the OAIC in the period.’’ In other words, a loyal staffer can pose almost as much risk as a disgruntled employee going rogue. In Gartner’s most recent Magic Quadrant for Identity Governance and Administration, released in early 2018, the research giant said identity governance and administration (IGA) is a fundamental building block of an organisation’s identity and access management strategy.

The 2019 Magic Quadrant on this topic is expected in October.

The report lists nine crucial functions for an IGA: identity life cycles, entitlements, workflows, fulfilment, auditing, access requests and certifications, policy and role management, and reporting and analytics.

Gartner rated SailPoint a ‘‘leader’’ in the industry, saying SailPoint clients ‘‘consistently note that the business user experience is a particular strong point of the solution and that the configurability of the product simplifies deployments’’.

The Forrester Wave: Identity Management and Governance Q3 2018 report also named SailPoint a leader in the field.

Forrester said the company and its Open Identity Platform, which includes IdentityIQ, IdentityNow, SecurityIQ and Identity AI, received the highest score across all three evaluation categories: strategy, current offering and market presence.

SailPoint’s McClain says the company is encouraging the industry to embrace AI and machine learning including with its recently introduced vision for identity, SailPoint Predictive Identity.

‘‘This is a new approach to identity that infuses identity programs with critical intelligence companies need to govern smarter,’’ he says.

‘‘In doing so, organisations can evolve their identity programs to be more predictive, adaptable and autonomous.’’

“By cracking just one user’s account, hackers could get access to everything that user has access to and nobody would be the wiser.”

Mark McClain