Small and medium-sized businesses find themselves in the cross hairs of sophisticated hacking groups. Improved identity and access management (IAM) tools are critical to keeping hackers at bay. But what do SMBs want? In this post, Rachael Stockton of LastPass* notes that a recent survey of IT leaders has some valuable clues.
One thing is clear: the cyber threat landscape has dramatically shifted. More than a third of small businesses were victim to a data breach in 2019 and 43% of all breach victims in 2019 were small businesses. Historically, only the largest of enterprises were the target for cyber criminals as they held the most valuable and sensitive data. But as these statistics suggest, malicious actors are diversifying and moving down market. As the cyber threat landscape has became more advanced, so have the cybersecurity technologies built to protect organizations from attack.
In 2020, almost every enterprise has deployed advanced cybersecurity solutions to mitigate the risks of the increasingly intelligent cyber criminal. Technologies such as machine learning use data science and algorithms to adapt security measures to employees’ behavior, for example: offering authentication proportional to the risk of the transaction and serving higher levels of authentication to higher risk login attempts. Cybersecurity solutions are already using machine intelligence to make it more difficult for a cyber criminal to gain fraudulent access into the business.
However, many small and medium sized business (SMB) have been left out of this transformation: without the budget and resources to deploy the advanced cybersecurity solutions large enterprises do. And cyber criminals know it. That’s why SMBs are becoming a more and more common target for cyber attacks today.
What do SMBs need and what are their security priorities? To find out, LastPass commissioned the market research firm Vanson Bourne to provide insights into the state of identity for small and medium businesses (SMBs). Together, we surveyed 700 IT and security professionals at organizations ranging from 250-2,999 employees across a range of industries, countries and management levels. The results provide valuable clues as to the identity and access management needs of this critical population of firms.
SMBs see Room for Improvement
Based on that survey of 700 IT professionals at SMBs, 98% of respondents see room for improvement in the general security behavior of their employees. And less than 5% believe they operate in a completely secure manner. Small and medium-sized businesses are aware their business is at a higher risk of exposure, and realize the steps needed to protect their organization include not only external measures, but internal changes as well.
SMBs realize the need to up their game when it comes to identity and access management (IAM), but unfortunately 92% have experienced at least one challenge related to IAM. Our data shows sizable percentages of organizations struggling with three particular challenges related to identity and access management:
- Balancing ease of use with increased security was a hurdle for 47% of businesses we polled.
- The general security of their solutions was a concern for 40% of those we polled.
- Demands from employees for a solution that’s easy to use was a concern for 37% of those we polled.
And then there’s the question of risk. A whopping 82% of respondents said their business has been exposed to a risk as a result of poor IAM practices, such as incorrect access controls, loss of employee data and, and loss of customer data. SMBs are prioritizing IAM, it’s true. But they’re doing so largely because they have already experienced the consequences of not doing so.
So, how are SMBs managing their identity and access management (IAM) programs to combat this new reality?
Single Sign-On: Necessary, but not Sufficient
One form of IAM technology that has long been promoted is single sign-on (SSO), which allows employees to log into their work just once and then gain access to all their assigned applications. Single sign-on greatly reduces the number of distinct passwords in use throughout the organization. It goes without saying that reducing the number of passwords in use also greatly reduces the associated risk they pose.
Most SMBs have invested in some form of SSO to date, with 74% of respondents indicating they have an SSO solution in place. However, 80% of respondents noted that using SSO alone still leaves a variety of cloud applications and privileged accounts unsecured.
SSO connects employees to the work required for their role through a protocol, such as the Security Assertation Markup Language (SAML). However, not every application supports SSO protocols, meaning if SSO is used in isolation, there would be no security solution in place for the non-supported applications. SMBs are aware that SSO delivers security benefits, but also that it needs to be complemented with additional IAM technologies.
Password Risk & Frustration is High
On average, IT security teams at SMBs spend 4 hours per week on password management-related issues alone and receive 96 password-related requests per month. This is a significant amount of time for resource-constrained organizations. So, it’s no surprise that 95% believe that their company should place a stronger emphasis on secure password behavior.
From the data above, it’s clear the password problem is still very real at SMBs. Most data breaches continue to be due to weak, reused and stolen passwords, because every password is an entry point to the business. If password protected applications are left unsecured, they are low hanging fruit for a cyber criminals, who use their access to exposed applications to gain access to the business more generally.
Authentication is a Top Priority
Authentication helps ensure users are who they say they are. Recent years have seen the use of so-called “multi-factor authentication” expand rapidly. Multi-factor authentication (MFA) combines traditional user names and passwords with a “second” factor ranging from a simple SMS text one-time code to mobile applications that generate one time codes or application based sign ons, to second factors that use biometrics like fingerprint and facial scans.
Our survey of SMBs found that 73% indicated that they have MFA technology in place, while 19% expect their organizations to invest in MFA in the coming year. In addition, 59% of IT professionals agree that strengthening user authentication is critical and cite it as among their key priorities for improving their identity capabilities.
In other words, SMBs are clearly aware of the value of MFA brings. Just 1% of respondents say MFA would not bring any benefit. Key features like biometrics and adaptive authentication can provide IT teams with more flexibility and greater security, without getting in the way of their employee’s work.
SMBs need Simple Solutions
SMBs are aware that they are a target for cyber criminals and have done their research on IAM tools in trends. But, how are they moving forward?
Our data shows SMBs are focused on strengthening user authentication (59%), integrating their security infrastructure (57%), achieving greater visibility through monitoring their end user activity (53%) and simplifying user access (44%).
But rather than investing in piecemeal solutions, 93% of IT professionals at SMBs are looking to invest in a unified solution and agree that bringing the various aspects of IAM under one solution would greatly benefit the overall security of the organization.
Given SMB’s resource and budget constraints, a unified solution will offer visibility and control across every access point to the business and be better on their budget too. This will give SMBs the insight into who is accessing which resources, from which device from which location, so they can get ahead of the curve and prevent cyber criminals before becoming victim to a data breach.
(*) Disclosure: This contributed article is sponsored by LastPass, a LogMeIn brand. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.