BeyondID, a leading AI-powered, Managed Identity Solutions Provider (MISP), has officially published the results from its new report, which reveals what is a widespread gap between organizations’ confidence in their identity security programs and their actual security behaviors.Â
Going by the available details, this particular study discovered that, quite surprisingly, organizations with the highest confidence in their identity security capabilities are implementing fewer best practices than their less confident counterparts.Â
More on the same would reveal how, named as the Confidence Paradox: Delusions of Readiness in Identity Security,” BeyondID’s new report reveals that, while 74% of IT decision-makers rate their identity posture as “Established” or “Advanced,” their actual security practices continue to give a rather contradictory look.
Talk about the whole report on a slightly deeper level, we begin from how organizations self-identifying as “Advanced” follow only 4.7 out of 12 best practices – fewer than their “Established” peers, who follow 5.1.Â
Next up, we must dig into a piece of fact claiming that no more than 60% enforce multi-factor authentication (MFA) for all users, a basic security measure.
Another detail worth a mention is rooted in the way a meager 40% of all surveyed organizations actually conduct regular user access reviews, something which leaves them vulnerable to unnecessary or outdated permissions.
Then, there is a nominal contingent of 27% organizations that enforce a least privilege access model, despite it being a fundamental security practice. Beyond that, BeyondID also found that less than 3 in 10 organizations dedicate more than 20% of their cybersecurity budget to identity security.
“The confidence many organizations express simply isn’t backed by operational rigor,” said Arun Shrestha, CEO of BeyondID. “What we’re seeing is systemic overconfidence; leaders believe they’re prepared, but fail to enforce the foundational controls that would actually keep them secure.”
Moving on, around 72% of surveyed organizations said they experienced at least one attack in the past 24 months. In fact, 46% of this lot has even gone through multiple attacks.Â
Hold on, we still have a few bits left to unpack, considering we haven’t yet touched upon how 38% of those breaches were caused by compromised employee credentials.Â
We also haven’t touched upon 38% respondents reporting a phishing attack that led to unauthorized access, whereas on the other hand, an estimated 36% experienced a data breach involving identity credentials.
Rounding up highlights would be a group of 34% respondents which was found to have failed a compliance audit due to identity-related issues. Out of that 14% failed multiple times.
Among other things, it ought to be acknowledged that, even though around 85% are “extremely” or “very” confident in their ability to detect breaches within 24 hours, survey respondents reported that the top consequences of breaches were operational downtime (71%), reputational damage (45%), and financial loss (41%).
BeyondID also took this opportunity to offer some recommendations to help organizations better prepare for such risks.
These recommendations include implementing foundational controls like MFA, regular access reviews, and least privilege models.Â
Organizations are further advised to benchmark against objective standards. They must also validate security posture through a third party.
Founded in 2017, BeyondID’s rise up the ranks stems from making it possible for organizations to control access to applications, data, networks, and devices, while simultaneously facilitating continuous regulatory compliance and ensuring seamless user experiences. The company’s excellence in what it does can also be understood once you consider it has, thus far, created Secure Total Experiences for organizations like Inception Health, Johnson Financial Group, Biogen, Northern Trust, and Cone Health etc.Â
“If confidence equaled preparedness, these incidents would be far less common,” said Shrestha. “This misalignment between perception and reality leaves organizations critically exposed. While breaches tied to compromised credentials remain widespread, identity security often remains underfunded and inconsistently managed.”
