Identity-related incidents becoming severe, costing organizations a fortune

With the rise of identity sprawl and system complexity, more businesses are suffering identity-related incidents than ever before, according to IDSA.

Identity-related incidents in headlines

Identity-related incidents continue to dominate today’s headlines. Clorox, MGM, and Caesars fell prey to social engineering, while 23andMe suffered a breach as a result of a hacking method called credential stuffing and UnitedHealth lacked multi-factor authentication (MFA).

Although these companies made headlines due to the extent of the breach, the study revealed that only 10% of respondents didn’t have an identity-related incident in the last 12 months, consistent with last year’s report.

An astonishing 84% of identity stakeholders said incidents directly impacted their business, up from 68% in 2023. The most significant impact, seeing a measurable rise this year, was distracting from core business (52%), followed by the cost of recovering from the breach, which dropped from number one this year but increased from 33% to 47%. Close behind and keeping third place is the negative impact on the company’s reputation, notably increasing from 25% to 45%.

“Identity-related incidents are on the rise, emphasizing the need for strong identity security measures,” said Jeff Reich, Executive Director at IDSA. “Many of today’s major breaches result from sophisticated phishing and social engineering attacks or not having multi-factor authentication. These incidents not only impact operations, they cost a fortune — UnitedHealth experienced a $872 million loss from the Change Healthcare cyberattack. And they can also lead to significant drops in stock prices and lasting reputational damage. With identity threats becoming more severe, organizations mu strengthen their identity security frameworks to better protect against these growing challenges.”

The state of identity security in 2024

22% of businesses see managing and securing digital identities as the number one priority of their security program, up from 17% in 2023. 89% of organizations are concerned with employees using corporate credentials for social media.

91% of organizations invoked their incident response plans, double of 2023 and 32% invoked their plans more three to five times.

Consistent with 2023, 89% of businesses are somewhat or very concerned that new privacy regulations will impact identity security. 96% of respondents report AI/ML will be beneficial in addressing identity-related challenges, with 71% stating the number one use case is identifying outlier behaviors.

81% of identity stakeholders see passwordless authentication as a solid technology for addressing identity issues.

Down slightly, 93% of identity stakeholders said that security outcomes could have lessened the business impact of incidents. 37% of respondents said implementing MFA for all users could have prevented or minimized the effect of incidents, followed by timely reviews of access to sensitive data (42%) and privileged access (50%).

99% of businesses reported they are planning to further invest in security outcomes in the next 12 months.

2024 Trends in Identity Security report is based on an online survey of over 520 identity and security professionals from organizations with over 1000 employees.