New research published today by the Identity Defined Security Alliance (IDSA) has revealed that 79% of organizations have experienced an identity-related security breach in the last two years.
The worrisome finding emerged from a study titled “Identity Security: A Work in Progress,” which is based on an online survey of 502 IT security and identity decision makers conducted in April. The study was carried out to identify trends in identity-related security and to deduce how forward-thinking companies are trying to reduce the risk of a breach.
Researchers found that identity-related breaches are as common as mud, with 94% of organizations experiencing this particular calamity at some point and 79% saying that a breach had occurred within the past two years.
Of those surveyed, 99% believe that the breach they experienced was preventable, but fewer than half have fully implemented key identity-related security outcomes.
Asked for their views on how identity-related breaches typically occur, 66% of respondents identified phishing as the most common cause. The results suggested that cybersecurity training could reduce the risk of a breach.
"Phishing presents a significant challenge for security leaders—of companies breached, 71% surveyed said the attack could have been prevented through better security awareness training," wrote researchers.
The study revealed a link between an organization's attitude to cybersecurity and how recently it had experienced a breach. Only 34% of companies with a "forward-thinking" security culture have had an identity-related breach in the past year compared with 59% of companies that foster a "reactive" security culture.
Another key difference between reactive and proactive companies was the impact of a breach. Forward-thinking companies experienced similar phishing-related breaches, but fewer stolen credentials (34% vs 42%), compromised privileged credentials (27% vs 32%), inadequately managed privileges (35% vs 40%), and socially engineered passwords (32% vs 41%).
Researchers concluded that organizations could do more to prevent future breaches. They said: "There is no doubt that with explosive growth in identities in the last five years and what is still to come, organizations are shifting strategies to protect their most vulnerable attack vector with some success. But there is more work to be done."