Déjà vu! Verizon Reports Compromised Credentials Are (by far) the Leading Cause of Breaches

May 9, 2017

Another year has gone by and the words from the 2016 Verizon Data Breach Investigations Report (DBIR) still ring true: “We’re not mad, just disappointed.” The 2017 Verizon Data Breach Investigations Report (DBIR) paints a déjà vu portrait of data breaches where 81% of hacking-related breaches leveraged either stolen and/or weak passwords.

You have to hand it to cyber criminals, they are no hacks (pun intended). Much like the flow of water, they find the path of least resistance to their target and today that path is clearly straight through your users and their self-managed “simple factor” passwords. Look at the trend of the major causes of data breaches in the past three years:


And many-a-summary statement conclude the same:

  •  “…if you are relying on username/email address and password, you are rolling the dice as far as password re-usage from other breaches or malware…”
  • Financial and banking “data breaches were often associated with banking Trojans stealing and reusing customer passwords”
  • “Using default or easily-guessable passwords simply will not cut it in today’s world.”

The advice remains the same for IT admins, employees, partners and customers — use multi-factor authentication (MFA):

  • "Implement two-factor authentication for administrative access to web applications and any other devices that are data stores. Reduce the effectiveness of stolen credentials being reused to unlock the door to member or customer information. If feasible, extend the use of strong authentication to your user base.”
  •  “Using default or easily-guessable passwords simply will not cut it in today’s world. Implement multi-factor authentication across your enterprise...”
  •  “Reduce the impact of a compromised user device. If a username and password is the only barrier to escalating privilege or compromising the next device, you have not done enough to stop these actors.”

The one fundamental truth is that current security relies too much on passwords. One of the fastest ways to move beyond passwords is to introduce multi-factor authentication everywhere. However, the primary challenge with MFA is user acceptance and adoption. 

But there is good news: a lot of major innovation in MFA has occurred in the past 18 months or so. Biometrics are being built into ubiquitous mobile devices, push authentication to mobile phones was widely introduced and the old stigma of those awful and expensive hardware tokens for generating one time pass codes is fading.

Most important, innovative leaders like Centrify are delivering on smarter, risk-based MFA to enterprises. By understanding the individual behavior profile of each user through sophisticated machine learning techniques, each individual access attempt can be automatically scored as to the level of risk. Lower risk attempts (for example a user on the office network, using a known device, accessing a low risk application during normal work hours) can forgo extra authentication and immediately access resources without unnecessary prompts. Higher risk attempts (for example a user in China, after work hours, on an unfamiliar device accessing an application for the 1st time) would be blocked or at least required to provide additional factors for authentication.

Reducing the friction for users through additional choices for second factors of authentication, as well as reducing the number of prompts and homogenizing the user experience, will go a long way toward not relying on passwords alone.

Centrify has sponsored research by Forrester specifically on the impact that mature identity and access management has on the number and cost of breaches for enterprises. The bottom line? Enterprises that have mature identity and access management experience 50% fewer breaches, $5M cost reduction due to breaches and by adopting a comprehensive identity services platform like Centrify see a 40% reduction in the cost of identity technology. For more information, click here

This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.