Cybersecurity is one of the most technologically evolving areas for the simple reason that criminals are always at the forefront to be able to get around the authorities. In recent years, One of the most widespread threats is associated with what has been called ‘non-human identities’. (NHI). Simplifying the concept, we could say that the applications, sensors, tokens (authentication code to verify identity), development environments, etc. They require accredited access to operate and, to provide that access, it is necessary to previously grant a digital identity.
A recent report from the consulting firm Enterprise Strategy Group (ESG) reveals that, on average, Companies have to manage 20 times more non-human identities than human oneswhich gives an idea of the complexity; There are probably more, since in too many cases one is not aware of the real number of NHI in the organization. In fact, other studies They go so far as to state that for every human identity there are 92 NHI. And it is getting worse, given that more than half of companies (52%) believe that the number of these NHI will increase by more than 20% in the next twelve months.
This same ESG report warns that more than one in five of these non-human identities are not sufficiently protected, meaning that the attack surface and risks are skyrocketing in companies. Nearly half (46%) of respondents say their organization has experienced a non-human identity breachand another 26% suspect their NHI accounts or credentials have been compromised. Why is this happening?
In cybersecurity, an object that contains a small amount of sensitive data is called a ‘secret’, such as a password, a token or a key. Well, it is estimated that about 40% of all an organization’s secrets are inactivethat is, they are not used by any application. However, they are real and valid secrets that can be used by cybercriminals who break the company’s security. One of the most common cases is that of tokens of active former employees, that is, codes that give access without having to enter a username and password. As icing on that toxic cake, too many times these secrets are duplicated and stored in multiple locations.
Non-human identities are a hotbed for malicious actors because in practically all cases they have been granted access privileges far above what was really necessary, opening doors wide to perform unauthorized actions within the system. . Another of the most common mistakes in companies is that the same NHI is used by more than one application which, if compromised, amplifies the problems. A fatal domino effect can occur, since a compromised NHI can give access to critical systems, allow other NHI to be exploited, and the snowball gets bigger and bigger.
What is the result of this scenario? Just as you warn IBM In one of their investigations, the second most frequent and devastating type of attack for organizations is, precisely, that directed at non-human identities. IBM estimates that, on average, containing an attack of this type once detected can take more than 64 days and that is not the worst; The bad news is that the average time to identify compromised credentials is 292 days. As if this were not enough, the arrival of Generative Artificial Intelligence (GenAI) has worsened the situation very significantly, since in order to operate and automate workflows with these systems it is necessary to create more NHI sets. The company Pillar Security has just published a study in which it warns of how Malicious actors only need 42 seconds to complete an attackrequiring only five interactions to achieve it. Furthermore, 90% of successful attacks end up allowing the leak of confidential data, whether commercial information or personally identifiable data.
The conclusion is obvious: how can the head of cybersecurity not be one of the profiles that suffer the most stress in companies? A few weeks ago I warned in this space about how The professionals themselves reported that there was a lack of personnel and budget in their departments. Well, now another PwC study shows how Less than half of those responsible measure cyber risk effectively and only 15% measure its financial impact. The findings of the report do not call for optimism, since those in charge of ensuring computer security in organizations recognize that precisely the four threats that are most worrying to them today, such as vulnerabilities related to the cloud, cyber attacks, hackers and information leaks, third-party breaches or attacks on connected systems (NHI) are the ones they feel least prepared for.
Precisely at the moment when it is most necessary, it seems that companies skimp on cybersecurity, underestimating it while everything is going well. When the attack is completed, however, the focus changes, but it is already too late, to the point that according to PwC, only 2% of companies have implemented cyber resilience actions. Of course, how are they going to do it if today less than half of security managers are involved in strategic planning, reporting to the board of directors and supervising technology implementations?
#spoils #nonhuman #identities