IS OUR COMPREHENSIVE CYBERSECURITY PROGRAM IS RIGHT FOR YOU? LEARN MORE >

Services

We’re a selected team of skilled cybersecurity professionals who work as an extension of your IT staff, as well as best-in-class technology to add an additional layer of protection to your organization.

View our Managed Services
Ask About Our Outsourced Cybersecurity Program

Our comprehensive outsourced cybersecurity program leverages advanced technology and expert professionals to enhance your security without the need for in-house capabilities.
 

Learn more

Partners

We collaborate with best in the business to ensure our customers receive the highest levels of care and support. These trusted relationships allow us to better serve and educate our customers.

Regional Partner of the Year Award

Partner of the Year Award

Why Inversion6

With an abundance of solutions and providers, the task of choosing the right option is critical and can sometimes be overwhelming.

industry validation

"Thanks to Inversion6, we now have an established protocol and response procedure whenever incidents are detected. Now, we are able to act immediately to prevent a security event from becoming a larger incident."

Read Full Story

Resources

Our experts are thought leaders in the cybersecurity space. From blogs to publications and webinars, check out these resources to learn more about what’s trending in our industry and how you can stay ahead.

Why Cybersecurity Should Be Driving Your Enterprise Risk Management Strategy

By Christopher Prewitt

Read Article
Latest Inversion6 Press

CISO Craig Burland’s latest byline in Cyber Defense Magazine discusses the importance of accountability in cybersecurity.

View Story
August 26, 2019
By: Inversion6

Identity-Based Security: Best Practices for Protecting Your Users and Customers

Keeping your organization, employees, and customers safe starts with identity-based security practices that are easier to implement than you might realize.


Is Identity-Based Security Hopeless?

We all know it’s important to keep both consumer and business data safe. We’re instructed to uphold certain identity-based security procedures to keep ourselves and others safe. These include creating complex passwords — both for professional and personal accounts — and following certain device login and authentication procedures in the workplace according to our IT, legal, and compliance departments’ policies. 

Despite this, 81 percent of breaches use stolen or weak credentials. How can this be when there’s so much emphasis on cybersecurity and the processes around it? It seems that despite companies’ best efforts to keep security measures fresh and employees educated, it’s never enough. The answer isn’t that surprising.

Phishing continues to be a prevalent attack method. In fact, it’s discovered in more than 90% of incidents and breaches. Attacks via web applications are also extremely prevalent, with users’ credentials and personal data used to gain access and wreak havoc. And ransomware — the malware that has brought global companies and even cities and governments to a standstill — is only increasing in use (and is frighteningly easy to acquire).

Is it hopeless? Are we all supposed to just “do our best” until our inevitable turn for a ransomware attack or other security breach comes our way? Not at all. While your organization will never truly be 100% safe from a cybersecurity incident, taking a few proactive steps now can help you stay one step ahead of potential cybercriminals looking to ruin your day.

It All Starts With Effective Administration

Consider how your IT and information security teams currently manage identity-based security within your organization. This includes access levels and other user privileges. Often, companies set up certain administrator permissions and supporting policies only to forget them — leaving their passwords, platforms, and important business and consumer data open to attack because they’re not being monitored or managed as often as they should be.

It’s important to understand that security cannot be left to manage itself. It’s not just a matter of periodically requiring employees to update their passwords, either (more on this shortly). While that should be one tactic in your identity-based security toolkit, there must also be a consistent effort in IT security administration to cyclically change the way security is managed — and by whom. 

Administrators, administrator groups, and data storage solutions should be rotated and audited on a frequent basis to prevent any account from having too much access for too long. Along with new policies on password creation and where (and how) passwords are stored, this can help to ensure the access points into your data and network aren’t allowed to remain with a single person or in a single place for an extended period. Doing so puts them at risk of being discovered and used to access and potentially harm your network, which is just the starting point for even greater damage potential.

Much of this occurs in Active Directory (AD) — the center of your network and the storehouse for everything from user accounts and passwords to all of your organization’s devices. There are a number of account types that can be set in AD — especially at the administrator level. Ideally, administrators will understand and employ security best practices. However, the reality is that organizations can no longer trust that these important identity-based security practices will be carried out consistently. Thus, it becomes necessary to audit, randomize, and rotate responsibilities — sometimes without administrators knowing it — to protect company data.

Having A Strong Password Is Never Enough

A common perception is that if we update our passwords frequently, we’ll be covered. The issue with this is that 86% of passwords are outright terrible. In numerous breaches, most of the passwords that were in use at the organization (whether by employees or customers) already existed in databases of breached passwords. Examples include passwords that we all know shouldn’t be used but apparently are still in use — 123456789password1, and qwerty

While many companies have developed strong password policies and require employees to change them every 90 days or less, this still isn’t enough. Making employees and customers exchange basic passwords for another basic password doesn’t make your network safer. And because so many basic passwords are still in use, it can also mean a greater risk to your network if a decent password is changed to a weaker one. 

Microsoft isn’t helping the situation, either. The minimum password character limit is currently 14 characters. This isn’t enough. Passwords need to be longer, and more importantly, they need to be passphrases — not passwords. A passphrase adds numbers, symbols, and even spaces and will be significantly longer than a password. This added complexity and length ensure that logins and other credentials are more difficult to predict or replicate by hackers.

But how can businesses expect employees and customers to remember such long, complex passphrases? A passphrase like jb9h*&T!@#&uah\^FGy}8vb[ouGVG&G)*bh(H*1 is vastly more difficult to remember than the simple, memorable passwords so many people are likely to create. Password vaults are one option, but even the use of these helpful tools doesn’t guarantee security. It’ll be important to include password vault administrator access in the rotation discussed earlier. But don’t stop here. Get more password policy best practices and put them into work at your organization.

Remember, Multi-Factor Authentication Is Your Ally

It’s frightening how many organizations aren’t using multi-factor authentication (MFA). According to security awareness training firm KnowBe4, only 38% of large companies use MFA. This is a problem. MFA offers identity-based security that goes beyond the more common two-factor authentication (2FA) that many will be familiar with by requiring factors from multiple independent sources. 2FA, while fast and user-friendly, is still vulnerable to outside threats like SMS interception, in which the text sent to your phone with a login code is redirected or sent to another phone in addition to yours.

MFA offers another layer of identity-based security on top of the recommendations above, ensuring that even at the highest levels and with fully randomized and rotated passwords, there’ll be a final protective measure to prevent cybercriminals from harming your organization and customers.

Our Identity-Based Security Experts Are Here to Help

Inversion6 provides a number of security solutions that include access control and identity management to deception-based threat detection. Our chief information security officers (CISOs) partner with your organization to advise leadership teams on security strategy and educate employees on best practices for day-to-day operations. A best-in-class security program isn’t impossible to achieve — and it all starts with a conversation with one of our CISOs. Fill out the form below to get in touch with us.
 

Post Written By: Inversion6
Inversion6 and our team of CISOs are experts in information security, storage, and networking solutions. We work alongside your team to implement technology solutions that are smart, flexible, and customized to fit your needs.

Related Blog Posts

Let's TALK

Our team of experts in information security, storage, and networking works alongside your team to implement technology solutions that are smart, flexible, and customized to fit your needs. Ready to learn how we can help strengthen your technology environment? Fill out the form below to get started.

TALK TO AN EXPERT