With this week being Identity Management Day on April 8th, it's the perfect reminder for organizations to focus on protecting their employees' digital identities.
Protecting personal information and credentials is more essential than ever due to the rise of sophisticated cyberattacks, synthetic identities, and deepfakes.
With humans remaining the primary attack vector and social engineering attacks accounting for a staggering 70% to 90% of all breaches, our security experts at KnowBe4 have compiled their top recommendations to help organizations safeguard their employees' digital identities from theft.
Anna Collard, SVP of Content Strategy & Security Awareness Advocate
- Cultivate a Zero Trust Mindset: Never trust, always verify—even when communication appears to come from familiar sources
- Implement Phishing-resistant MFA: Make multi-factor authentication mandatory, and enhance it with biometrics or contextual risk analysis
- Prioritize Security Awareness Training: Regular training sessions on recognizing phishing emails, smishing, vishing, and other social engineering techniques are essential
- Practice Mindfulness. "Stop, Breathe, Question" Technique: Teach employees to pause, take a breath, and question the legitimacy of requests before clicking on links, opening attachments, or approving access.
Javvad Malik, Lead Security Awareness Advocate
- Prioritize Security and Usability: Take a user-centric approach that ensures employees can access resources easily while maintaining data security
- Create Easy-to-Understand Security Measures: Use clear language and relatable examples when educating employees about security benefits. Emphasize the benefits of protecting both personal and organizational data
- Implement Continuous Authentication: Implement advanced mechanisms that verify users based on behavior patterns, helping to detect unauthorized access even when credentials are compromised
- Enable Self-Service Capabilities: Empower users with self-service portals for account management and password resets to reduce frustration and improve resource access
Martin Kraemer, Security Awareness Advocate
- Share On a Need-To-Know Basis: Exercise caution when uploading personal documents online and only share sensitive information when absolutely necessary with verified legitimate parties
- Remember Your Online Behavior is Monitored: Be mindful that social media platforms track your online activity to create detailed profiles, and adjust privacy settings accordingly
James McQuiggan, security awareness advocate
- Empower Employees to Report: Create a security culture where reporting suspicious logins or phishing attempts is rewarded, not punished. It’s also important to integrate user-friendly reporting mechanisms
- Improve Post-Incident Response: Use incidents as learning opportunities rather than blame sessions, and ensure quick team responses to build trust
- For IT and Cybersecurity Teams: Stay informed about Initial Access Brokers and Stealer Malware trends by monitoring underground forums
- For Governance Teams: Establish processes to regularly analyze stealer logs for exposed employee credentials
- For Threat Intel Teams: Align findings with MITRE ATT&CK techniques to enhance defensive strategies
Erich Kron, Security Awareness Advocate
- Do Not Reuse Passwords: Credential stuffing attacks use automated tools to exploit password reuse, making all accounts with the same password vulnerable if one is compromised
Roger A. Grimes, Data-Driven Defense Evangelist
- Implement Phishing-Resistant MFA: This is the most secure option, as it protects against common social engineering attacks like phishing scams. For instance using hardware security keys and biometrics offer the strongest protection against social engineering
- Use Any MFA if Necessary: Even less secure MFA options like SMS-based authentication and time-based one-time passwords are better than no MFA at all
- Use Password Managers: Use reputable password managers to create and securely store strong, unique passwords
- Create Strong, Unique Passwords: If you can't use a password manager, develop complex passwords of at least 20 characters and never reuse them
This Identity Management Day, remember that protecting your employee’s digital identities isn't just about implementing the latest technology—it's also about creating a strong and positive security culture where everyone understands their role in safeguarding critical information. By following these expert recommendations, educating your workforce, and remaining vigilant against evolving threats, organizations can significantly strengthen their security posture and reduce human risk. Don't wait for a breach to prioritize identity security—make it an essential part of your organization today and every day.
