In a world that is obsessed with profits and shareholder interests, the idea of organizations suddenly shifting to more aggressive security models that will cost more money seems suspicious. It appears that most business leaders would rather gamble with their earnings and spend money to clean up a data breach than prevent one.
There is no doubt that growth in the Zero Trust market is fueled by the increasing frequency of cyber-attacks and regulations for data protection. But let’s face it, Zero Trust (ZT) is a chimera for most organizations. As long as we continue to define successful ZT as “MFA everything” and least privilege access everywhere, it’s never going to happen.
MFA Adoption Is Still Terribly Low
According to a recent Microsoft Cyber Signals report, the adoption of MFA is at 22% among enterprise users, and Basic authentication is still pervasive. That is despite all the marketing and evangelism of “MFA everything.” If one thing is clear, the frequency and sophistication of cyber-attacks outpace organizations’ desire and ability to implement protective security controls.
I get why the adoption of MFA remains low. During our recent webinar Improving Security & Compliance with Credential Verification, Chris Olive explained that adoption remains low because of usability and productivity issues associated with its use. For whatever reasons that orgs choose not to implement MFA, the result is that they leave their organizations exposed, cyber criminals are free to walk right through the front door of their network. We have argued in our whitepaper that even when MFA is deployed, it cannot cover all access points into an organization.
For organizations and business leaders to do more than pay lip service to ZT, they must embrace an approach that can protect users and accounts proactively – before the harm is done – and can work without depending on end-users or IT administrators to be effective.
Simply put, at 22% adoption, it is clear that MFA doesn’t scale. For organizations to scale their investment in ZT, identity threat intelligence must be connected to enterprise IAM systems, user directories, and Identity Providers to enable automation of detection and response capabilities. To help stop preventable data breaches before the harm is done, indicators of compromise must be shared across the enterprise and within ecosystems. Identity threat intelligence and shared signals are the connective ties between security, data, privacy, and operations. They enable frictionless access, help deliver safer online experiences, and close massive vulnerabilities in the infrastructure.
Organizations not only have the authority to protect their users and data, but they also have the responsibility to do so. Based on observations of cyber attacks already underway in Russia and Ukraine, VeriClouds recommends that organizations operate under the assumption that they will become a target of a vicious cyber-attack, either directly or indirectly. Even with MFA deployed everywhere, cyber criminals and nation-state attackers’ behavior will be aggressive as it is innovative, so organizations must do what they can to be just as bold and creative in their security defense posture.
Organizations no longer have –and never had– the luxury of time. Organizations must take immediate action to implement detective controls that help protect users, assets, and critical infrastructure. We cannot wait for a passwordless future to protect us.
Business and security leaders may feel as overwhelmed as Dorothy on her way to see the Wizard in Emerald City in the Land of Oz. It all feels like a bad dream. The stakes are high. ZT may be a chimera, but we must take that first step and get started down the path. Along the way, we may find the courage, strength, and enlightenment we need to survive the uncertain times that lie ahead of us all.
Schedule a call with VeriClouds today!