The State of Identity Security for 2023: Identity-Based Threats, Breaches, & Security Best Practices

There is one important truth that organizations need to face right now: the number and nature of identities is changing, and these changes are posing a direct risk to enterprise IT security.

According the recently published 2023 Trends in Securing Digital Identities report from the Identity Defined Security Alliance (IDSA), 90% of organizations experienced at least one identity-related breach in the past year. This represents a 7.1% increase YoY (84% of organizations reported an identity-related breach in 2022). Moreover, 68% of the organizations that incurred an Identity-based breach over the past year suffered a direct business impact as a result, the most significant of which being the cost associated with recovering from the breach. Other impacts ranged from distracting from core business to the tarnishing of the business’s reputation.

It is not a coincidence that the rise in number and complexity of identities has coincided with a rise in identity-related breaches. Identities are increasing both in type and number, and this changes the dynamic of identity management.

The new IDSA report also revealed some intriguing stats related to how organizations are (and should be) responding identity-based threats and the changing landscape. This blog will break down the key findings from this year’s report to help you determine:

• The source of highest identity-based risk for organizations
• Core impacts of an identity-related breach
• Details on the identity security implementation trends across organizations
• Proven key strategies to help with identity-related threat prevention.
• How cybersecurity best practices can help in obtaining cyber insurance coverage
• Assessing how the growing adoption of AI/ML can bolster threat detection efforts.

This blog is meant to be a comprehensive guide to the state of identity security in 2023.

Identity-based Attacks: This Year’s Findings

This year’s IDSA report findings painted a jarring picture of the growing complexity of identity management and its impact on organizations. Here’s a more detailed breakdown of the key factors contributing to this trend, as outlined in the 2023 Trends in Securing Digital Identities report.

What is contributing to the growing complexity of identity management in 2023?

1. More identities

According to the report, 98% of identity and security professionals say the number of machine and human identities in their organizations is increasing, citing such top factors as the growing adoption of cloud applications (52%); the rise of remote working (50%); increased mobile device usage (44%) and an increase in third-party relationships (41%).

What these figures reveal is that there is a direct relationship between the number of technologies required for businesses to operate and the number of identities (accounts) any single user in an organization may have. Each user needs access to multiple accounts, devices, etc., and each of those access points creates a new identity attack vector.

2. Adoption of more cloud applications

Most organizations today have either multiple IaaS, SaaS, or PaaS cloud services or operate a hybrid cloud and on-prem model.

These cloud environments create a proliferation of permissions, entitlements, and privileged identities—many of which are ephemeral, yet still need to be managed and secured. Ultimately, this makes for a complex security framework that tends to have gaps in both security and visibility.

3. An increasingly perimeterless IT world

The normalization of the work-from-anywhere (WFA) environment has increased the number of employees who are remotely accessing network resources, and the number of unsecured remote locations from where they may be accessing those network resources.

This is visible in the IDSA report, as 50% of the organizations surveyed cited remote work as one of the top leading factors driving the increase of number of identities.

Organizations are experiencing a similar increase in the number of contractors, third-party resources, vendors, partners, etc. who need to access certain network resources.

In other words, this year’s increase in identity-related breaches points to a proliferating attack surface that continues to offer threat actors an exponentially growing number of opportunities for exploitation.

Top Identity-Based Breaches of 2023

Now that we’ve peeked at what’s driving up the numbers on identity-related breaches, let’s take a closer look at the specific types of breaches most often reported by organizations in 2023, along with the best ways to defend your organization against them.

Below is the IDSA’s breakdown of the different types of identity-related incidents organizations reported having last year.

1. Phishing

As the figure above illustrates, the percentage of breaches caused by phishing in 2023 was (62%), cited as the top cause of identity-related breaches for organizations. This isn’t a coincidence.

According to the APWG’s Phishing Activity Trends Report, phishing reached an all-time high in 2022 with 4.7 million total phishing attacks logged over the course of the year, and with a record-breaking 1,350,037 phishing attacks in by Q4 2022. This follows the 600% increase in phishing attacks since 2019 (150% YoY)

What are Phishing attacks and their risks?

Phishing attacks are a prime entry point for threat actors. These attacks succeed in the initial compromise of an environment, usually with a malicious link or attachment, and then commonly perform information gathering, which can be used later to exploit a weakness that presents itself.

What are the top ways to mitigate the risk of phishing attacks?

• Enforce frequent installation of updates company-wide to ensure the latest security patches are in place
• Implement least privilege access and removal of admin rights
• Deploy SPAM filters and firewalls to intercept malicious emails before they reach a user’s inbox
• Provide regular training to all employees so they can better identify and report phishing attempts.

2. Inadequate Management of Privileges / Privileged Identities

Employee behavior is often the cause of identity-related incidents. 37% of the organizations surveyed by the IDSA reported that inadequately managed privileges resulted in a breach, making poorly managed privileged identities the second-leading cause of breaches in 2023.

The combined increase in identities, the growth of cloud environments, and erosion of the network perimeter have all contributed to the explosion of unmanaged privileged identities, access, and sessions, and wherever unmanaged privileges reside exists a high risk of exploitation.

Let’s look at which identity-related incidents fell under the umbrella of inadequate management of privilege in 2023:

• Employees using the same passwords for work and personal accounts (37%)
• Users sharing credentials with colleagues (31%)
• Employees using non-authorized devices (31%)
• Social engineering techniques (30%)
• Compromised privileged identity (28%)
• Stolen credentials (28%)

What are the top risks associated with unmanaged privileges?

The consequences of a privileged identity breach to an organization are also quite high. Breaching an organization’s network via a privileged account gives an attacker fast-tracked access to sensitive data a standard user would not have access to. It also becomes easier for an attacker to execute lateral movement, escalate privileges, and even hijack other accounts.

Top ways to mitigate the risk of privilege attacks

The best ways to mitigate the risk of a cyberattacker breaching your organization through a privileged account are to:

• Remove admin privileges
• And enforce least privilege and just-in-time access (both of these are considered critical to a zero trust security posture)
• Closely monitor privileged sessions and other privileged analytics

Removing admin rights and applying least privilege provides proactive protection—even against many zero-day vulnerabilities and exploits. Based on 2015-2020 findings listed in the BeyondTrust 2022 Microsoft Vulnerabilities Report, and corroborated again in the 2023 Microsoft Vulnerabilities Report, Elevation of Privilege vulnerabilities have skyrocketed 689% since 2017.

Poor password hygiene

The IDSA report identified passwords as another critical point when it comes to identity security. Brute force attacks, including credential stuffing and password spraying attacks came in second from the top (31%) on the list of identity-related breaches experienced by organizations this year. Another 30% of the organizations surveyed reported social engineered passwords as a source of breach they’ve encountered in 2023, and 28% when it came to compromised privileged credentials. These provide the most sensitive and broadest access, so their compromise or misuse causes the biggest impact. This helps corroborate Forrester Research’s estimate that 80% of breaches involve compromised or abused privileged credentials.

What are the top credential-based risks?

Passwords are one of the weakest links when it comes to enterprise cybersecurity. Compound this with poor password management policies, the surge of technology devices and applications being used by each employee, and the fact that threat actors are becoming increasingly more sophisticated, and you have a perfect storm railing against your cybersecurity infrastructure. A breach of credentials can have serious implications for an organization, including:

• Enabling lateral movement of threats within the network
• The compromise of multiple systems, accounts, and users
• The launch of ransomware and other malware attacks
• Threat actors gaining access to funds, sensitive data, intellectual property, customer information
• Data breaches

As an example of how much damage can be inflicted upon an organization through one compromised set of credentials, just look at the 2021 attack on Colonial Pipeline. On May 7, 2021, hackers infiltrated Colonial Pipeline’s network through a compromised set of credentials and then launched a brutal ransomware attack forcing the company to shut down its systems. This ultimately led to the shutdown of access to 45% of the fuel supplied to the U.S. East Coast region, creating fuel outages, fuel shortages across the U.S., and consumer panic.

What are the top mistakes organizations make when it comes to passwords?

• Common and reused passwords
• Embedded credentials
• Default credentials
• Shared credentials
• Reused security questions
• Lack of automated password managers

Top ways to reduce the risk of password-based attacks

Since it may not be possible to go fully passwordless yet, here are the best practices for mitigating the risk of password attacks:

• Use password managers and vaults
• Discover and onboard all passwords
• Create long, random, unique passphrases (NIST recommends up to 64 characters, including spaces)
• Enforce the prevention of password reuse or credential sharing
• Implement multi-factor authentication (MFA)
• Implement password rotation (only for privileged credentials or standard user credentials that are compromised or at risk)

3. Third-Party or Supply Chain Attack

Breaches originating from suppliers, often referred to as supply chain attacks, are becoming more widespread and have been occurring more frequently over the past five years. 2023 is set to be a record-breaking year with software supply chain attacks already increasing by 742% between 2019 and 2022.

What are the top risks associated with a supply chain attack?

Supply chain attacks are cyberattacks that target a third-party vendor or contractor who offers services or software that are vital to the supply chain in order to infiltrate an organization. These third parties may present a weak link due to an inadequately hardened system, an overprivileged user, an unmonitored machine identity, an unsecured port, or a VPN vulnerability.

Once inside, the threat actor will compromise a trusted piece of software (by injecting malicious code into an application) or hardware (by compromising a physical component) to infiltrate many more victims. For instance, with the Solar Winds and Kaseya breaches, attackers infiltrated a piece of software that was being used by thousands of customers.

Software supply chains tend to be more vulnerable because software is seldom written from scratch and often involves third-party APIs, open source code, proprietary code from software vendors, and numerous dependencies, meaning the number of points of entry are increased and the number of victims can be exponentially high.

Top ways to mitigate the risk of supply chain attacks

• Deploy security solutions that offer behavior-based threat detection
• Leverage threat analysis and threat intelligence to stay ahead of threats
• Remove admin privileges and enforce Just-in-time access to minimize points of entry

4. Insider Attacks

Insider attacks were reported as the fourth-leading cause of identity-related incidents by organizations in 2023 (22%)

These attacks pose significant risks to businesses because they involve individuals with authorized access to sensitive systems, data, or networks who misuse that access for malicious purposes.

To make matters worse, factors like the growing adopt of remote work, IoT devices, and the cloud environments has made detecting insider threats even more difficult. The 2023 Insider Threat Report found that more than half of organizations experienced an insider attack in the past year, with 74% saying that insider attacks have become more frequent.

What are the top risks associated with insider attacks?

• Data Theft and Unauthorized Disclosure: Insiders can steal sensitive information, leading to financial loss, reputational damage, and legal consequences.
• Sabotage and Disruption: Insiders can intentionally disrupt critical systems, causing significant downtime, operational disruption, and financial losses.
• Fraud and Financial Loss: Insider attacks can involve financial fraud, leading to direct financial loss and potential regulatory non-compliance.
• Unauthorized Access and Privilege Abuse: Insiders can abuse their access rights to gain unauthorized access, compromising the network or infrastructure.
• Malware Introduction: Insiders may introduce malware, such as viruses or ransomware, compromising data security and system integrity.
• Social Engineering and Phishing: Insiders can exploit their knowledge to conduct targeted social engineering or phishing attacks, compromising security through manipulation and trickery.
• Weak or Misconfigured Access Controls: Insiders can exploit weak access controls or misconfigurations, gaining unauthorized access or performing unauthorized actions.
• Insider Collusion: Insiders may collaborate with external threat actors, further complicating detection and attribution of attacks.

Top ways to mitigate insider attacks

• Implement strong access controls and least privilege principles to restrict user access based on job responsibilities.
• Educate employees about cybersecurity best practices and how to identify and report suspicious activities.
• Implement robust monitoring systems to detect and alert on unusual or suspicious behavior by insiders.
• Separate critical tasks among different employees to prevent a single individual from having complete control and authority.
• Develop and regularly test an incident response plan to ensure a swift and effective response in the event of an insider attack.

By focusing on these key measures, organizations can significantly enhance their ability to mitigate insider threats and bolster their cybersecurity defenses.

5. Man in the Middle Attack

This year, 18% of the organizations surveyed by the IDSA reported experiencing a Man in the Middle (MitM) attack. This is a type of cyberattack where a perpetrator positions themselves between communicating parties, or secretly intercepts and relays messages between two parties who think they are communicating with each other.

Once intercepted, the attacker can then control or manipulate the conversation or data involved. Commonly, a MitM attacker will introduce malware through a phishing email so they can infiltrate and steal or tamper with information.

What are the top risks associated with a MitM attack?

• The capture and manipulation of personal information in real time
• The compromise of sensitive information as it is being shared between endpoints
• One or multiple communicating parties being tricked into sharing sensitive data
• Threat to the integrity of servers
• Content injection or alteration

Top ways to mitigate the risk of MITM attacks

• Endpoint protection
• Encryption
• User behavioral monitoring and alerting
• Continual authentication and verification of identities (a key tenet of zero trust security principles)
• Routinely rotate system credentials

What were the biggest impacts of identity-based attacks on organizations in 2023?

According to the 90% of organizations in the IDSA survey who recorded an identity-related breach in 2023, the top impacts were:

• Cost of recovery (39%), which can be compounded by the need to purchase additional equipment
• Distraction from core business (33%), due to the time it takes to recover from damages and disruption, implement repairs, and provide employees with any required additional training
• Reputation loss (25%), which can include a loss of confidence from stakeholders
• Loss of revenue (21%)
• Customer attrition (20%)
• Lawsuits or other legal action (17%)

How did organizations respond to identity-based security attacks?

With government mandates like zero trust, encouraging more organizations to put identity first, and with situations like the Russia/Ukraine crisis giving identity security more visibility, this year’s report indicates a clear upward trend in the prioritization of identity security strategies.

How businesses respond to attacks is critical to preventing data loss and minimizing the effect of the incident.

The IDSA survey respondents reported their responses to identity-related incidents. Keep in mind, some companies took multiple steps in their responses, as noted in the breakdown of percentages below:

• Triggered existing incident response plan (58%)
• Notified management (57%)
• Took ad-hoc steps (42%)
• Engaged external resources (36%)
• Declared a data breach (33%)
• Involved law enforcement (24%)

The research found that only one in three businesses’ identity and security teams (33%) declared a data breach, and less than a quarter (24%) involved law enforcement. The most typical responses to an incident included 58% of the teams triggered their existing incident response plan, and 57% notified their management team.

How could organizations have prevented or minimized business impact for identity-based attacks in 2023?

The IDSA survey respondents identified the following three security strategies as being most likely to have prevented their experienced breaches:

• Multifactor authentication (MFA) (42%),
• More timely reviews of access to sensitive data (40%)
• More timely reviews of privileged access (34%)

It is worth noting that most of the preventative measures indicated by the respondents point to a single solution: privilege management. More timely reviews of privileged access (40%), more timely reviews of sensitive data (40%), continuous discovery of all user access rights (34%), revoked access upon detection of high risk event associated with that identity (32%), granting privileged access according to the Principle of Least Privilege (32%), continuously discovering all privileged access rights (30%), and can all be performed through privilege management and the removal of admin privileges. Some of these preventative security strategies (continuous discovery of privileges and the removal of privileges in response to high-risk events) can even be automated with the right Privileged Access Management (PAM) solution.

97% of businesses plan to further invest in security outcomes in the next 12 months. Top of the list is ensuring more timely reviews of privileged access (38%) and access to sensitive data (37%). Businesses are also increasing investment in MFA for all users (29%) and user device characteristics for authentication (28%)

What this report also revealed is that the strategies observed to be effective at preventing identity-based breaches and mitigating identity attack vectors are not in all cases the ones organizations are now trending towards adopting.

Implementation of MFA ranked highest for perceived breach prevention (42%). More timely reviews of privileged access and timely reviews of access to sensitive data took the cake for future investment, in spots for second and third, respectively (28%). Despite being ranked the fourth highest in breach prevention, revoked access upon detection of a high-risk event lands towards the bottom of the investment list, with only 20% of respondents planning investment for the coming year.

Cyber Insurance for identity-related attacks

The recent surge in cyber insurance can generally be attributed to the escalating threat landscape of cyber incidents and the accompanying need for financial safeguards. As organizations confront heightened risks posed by data breaches and other cyberattacks, cyber insurance has emerged as an indispensable tool for mitigating the financial ramifications of such events.

The IDSA report showed that cyber insurance is most common in highly regulated industries, with 57% of businesses in the healthcare, manufacturing, and financial services sectors having already invested. It is also interesting to note that executives are much more likely to report that their company is making these investments, with 60% already investing in cyber insurance for identity-related industries.

Cybersecurity organizations can often benefit from cyber insurance by leveraging it as a risk transfer mechanism. By obtaining cyber insurance coverage, organizations can mitigate the financial impact of potential liabilities arising from cyber incidents related to their own services.

This not only safeguards their financial stability but also enhances their credibility and market position, as they demonstrate a proactive approach to risk management and a commitment to protecting their clients' interests.

BeyondTrust Privileged Access Management can help you qualify for cyber insurance and get the best rates, while drastically reducing your cyber risk. PAM solutions provide must-have capabilities, including least privilege enforcement, privileged account and credential management, and remote access security — all common criteria for cyber insurance approval.

See why our Privileged Access Management technology is preferred by cyber insurers.

Looking to the future: how artificial intelligence and machine learning (AI/ML) capabilities can bolster identity security

The rapid rise of artificial intelligence (AI) in recent years has transformed various industries, revolutionizing the way we interact with technology. From self-driving cars to virtual assistants, AI has permeated our daily lives. The cybersecurity industry is no exception, as it has begun to recognize the potential of AI and machine learning (ML) to address evolving security challenges.

Organizations are leveraging AI-powered solutions to detect and prevent sophisticated cyberattacks, showcasing the transformative power of intelligent technologies in bolstering cybersecurity efforts. By looking toward an AI-centric future, the industry aims to enhance the safeguarding of digital infrastructure amidst the ever-growing complexity of threats.

The market size of artificial intelligence in cybersecurity is estimated to reach 22.4 billion USD in 2023 and is projected to grow to 60.6 billion USD by 2028, exhibiting a compound annual growth rate (CAGR) of 21.9% during the period from 2023 to 2028. This significant growth can be attributed to various factors, including the rising instances of cyber threats, heightened vulnerability of Wi-Fi networks to security risks, increased adoption of the Internet of Things (IoT), and the ever-growing number of connected devices.

This is why it’s no surprise that a whopping 98% of IDSA survey respondents this year reported that AI/ML will be beneficial to their organizations. The top use case perceived as having the most benefit was ‘Identifying outlier behaviors’ (63%), closely followed by Evaluating alert severity in the SOC (56%) and more efficient admin, onboarding, and offboarding (52%)

It’s worth noting that the top use case was ‘identifying outlier behaviors’ at 63%. At BeyondTrust, we also champion the idea of having a centralized, holistic view over all identities, accounts, and privileged access across your entire IT estate.

That’s why we built Identity Security Insights—a product designed to give you that holistic view and much more. Leverage threat intelligence recommendations to improve your identity security posture, reduce the attack surface, and accelerate incident investigation and response.

Wrapping up the the State of Identity Security for 2023

This year’s IDSA report sends a clear message: it’s imperative for organizations to adapt their identity management practices to address the continually changing threat landscape and ever-growing complexity of identities.

Accomplishing this will ensure they have robust security measures in place to protect against identity-related breaches.

To summarize the report’s findings:

Factors contributing to the growing complexity of identity management in 2023:

1. Adoption of more cloud applications (52%)
2. Remote work (50%)
3. Additional mobile devices (44%)

The top identity-based attacks of 2023 were:

1. Phishing (62%)
2. Inadequate Management of Privileges / Privileged Identities (37%)
3. Third-Party or Supply Chain Attack (37%)
4. Insider Attacks (22%)
5. Man in the Middle Attack (18%)

How organizations could have prevented identity-based attacks in 2023:

1. Multifactor authentication (MFA) (42%),
2. More timely reviews of access to sensitive data (40%)
3. More timely reviews of privileged access (34%)

Looking toward the future, in order to address the rapidly growing number of identity-related threats, organizations should prioritize prevention through strong security measures, least privilege access, regular employee training, and monitoring privileged sessions.

To review the report in its entirety, get your free copy of the 2023 Trends in Securing Digital Identities report here. Or contact us to learn how you can implement intelligent identity and access security solutions to help you protect your organization from advancing identity-security threats.