In today’s online workspace, corporate identity protection has become a crucial part of defending company data. Often referred to as “the new perimeter,” identity security acts as the front-line guard between companies and potential breaches. However, recent findings in the Enterprise Identity Threat Report 2024 reveal surprising gaps in how well these identities are being managed and protected, leaving companies vulnerable to data breaches, account takeovers, and credential theft.
This report, backed by exclusive data from LayerX Browser Security, digs into key identity-related risks. From blind spots in credential management to vulnerable corporate passwords, the findings call on organizations to rethink how they approach identity security.
The Real Risks: Focusing on a Small Group of Users
One surprising takeaway from the report is that a significant portion of identity-related risk comes from only a small percentage of users. Just 2% of employees are responsible for most identity risks, as their credentials have been compromised in multiple data breaches and often bypass single sign-on (SSO) mechanisms with weak or reused passwords. The data shows that these users, who have had their passwords exposed, appeared in an average of 9.5 data breaches, amplifying their risk.
This insight is a wake-up call for security teams, encouraging them to focus more on these high-risk users and prioritize them in their risk management efforts.
Shadow Identities and Blind Spots
A major problem highlighted in the report is the use of personal accounts for work-related logins, creating “shadow identities” outside the visibility of security teams. The report reveals that 67.5% of corporate logins are done without SSO protection, and 42.5% of logins to SaaS applications are made with personal accounts. These blind spots mean security teams lack insight into where sensitive access is happening, reducing their ability to spot or respond to potential threats in real-time.
Corporate Passwords: Not as Secure as Expected
Despite widespread password management policies, corporate passwords are often just as vulnerable as personal ones. The report shows that 54% of corporate passwords fall in the medium or weak strength category, close to the 58% rate for personal passwords. This vulnerability means that even passwords meeting minimum security policies can often be cracked in under half an hour, posing a significant risk to sensitive business information.
Browser Extensions: An Overlooked Risk
Browser extensions have become a staple for productivity, but they come with security risks. The report reveals that 66.6% of installed browser extensions have high or critical-risk permissions. With over 40% of employees using high-risk extensions, sensitive data like cookies and session tokens are at risk. These extensions could potentially be exploited, making corporate credentials vulnerable to unauthorized access or session hijacking.
Attackers Bypassing Traditional Security Defenses
The report also highlights how attackers are evading traditional security tools with sophisticated techniques, particularly through web-based attacks that go undetected by older security tools. Key findings include nearly half of successful malicious web pages being hosted on trusted public hosting services, which makes them harder to identify as threats. Additionally, attackers use phishing kits with low similarity to known phishing pages, avoiding detection mechanisms.
Moving Forward: Enhancing Corporate Identity Security
The Enterprise Identity Threat Report 2024 provides a stark reminder of how identity security is evolving. The findings urge companies to reassess their identity management strategies, understanding that conventional protections may no longer cover today’s browser-based, remote-access environments. Security teams need to shift their focus to better manage shadow identities, strengthen password policies, and monitor browser extensions.
In the end, awareness and adaptability are key. By keeping up with these evolving threats, companies can build a stronger, more resilient approach to securing their corporate identities.