10 years is a long time in tech. Identity and authentication provider Okta has celebrated the 10th anniversary of its Business at Work report, taking the opportuntiy to reflect and review how things changed over the decade.
Okta provides apps and tools to secure your users, applications, and data, and regularly conducts research to identity how workforces are adapting to security challenges and the changing tools they adopt along the way. The Okta Business at Work report is always a fascinating read and now, for its 10th anniversary, also paints a remarkable picture of how the world has changed since 2015.
Okta content lead, writer, and strategist Laurie Isola spoke with iTWire about the key macrotrends that a decade's worth of Business at Work data unveils.
"The past decade has seen dramatic changes in the business landscape, including more sophisticated cyber threats, the rise of distributed work, and smartphone saturation," she said.
{loadposition david08}
Amid all this change, two constants emerged from Isola's research - the importance of security and collaboration tools, as organisations adapt to the new reality of security today.
"It's always great to have a year on year overview, but having 10 years of data is a signal of the report's utility. People can look back, see how the landscape has changed, where adoption is, and it's a signal to what their needs are," she said.
In fact, the research shows over this last decade security has moved from being an IT concern to a boardroom priority. Meanwhile, digital transformation was previously all about convenience. Today, it is about resilience and security.
Additionally, during this time we've seen a huge growth in AI-driven threats, while cloud adoption and hybrid work has changed how and where people work, as well as how businesses are protecting their people and data.
With regards to protection, identity has become the foundation of security and traditional MFA is no longer enough. Phishing attacks have evolved, and continue to evolve, and cybercriminals are getting smarter and bypassing weaker methods. A security gap is emerging where enterprises of all sizes must adopt higher grades of security tools to really know who is accessing their systems.
Fortunately, Isola says, phishing-resistant authentication adoption is surging 160% year-on-year, at a higher rate than weaker methods such as email-based multi-factor authentication. These methods are still rising, Isola notes, but happily, by and large, the growth in superior security methods is growing faster.
"10 years ago, security questions were the most popular factor," she said. "Now they're number 10."
Yes, security questions like "What was the name of your childhood pet?" or "What is your mother's maiden name?" I'm sure we all remember those and the sad reality of social media apps that asked these questions in the form of "What's your Star Wars name?" where people would freely divulge the answers.
Fortunately, the research shows these are becoming less in vogue. Instead, the number one security factor today is OktaVerify and OktaPush, Okta's own app suite to validate you are the one trying to log in by pushing a prompt to you on a secure, validated device, independent of your phone number or email address - because, of course, such items are themselves hackable.
Part of the research also considers the most popular apps vs. the fastest growing apps. "In 2015 there was no security-type app in the top lists," Isola said. "Collaboration was big."
Over the decade security apps started moved in, until today, "security tools are the fastest-growing apps," she said. In fact, they've gone from 0% of the top apps to 40% today.
While you could look at this bleakly - apps are designed to help us do things. They let us seek information, communicate with each other, entertain and research, but out of all the apps we run today it's security apps that are rising in adoption more than any other? Isola says it's not so bad. "Innovation comes will collaboration," she said. "and collaboration needs security" to ensure you're talking to who you believe you are, to ensure files and data are only being accessed by who should be accessing them. "What companies adopt is indicative of what their needs are."
In fact, "the average number of apps per customer is now over 100."
"What we found is people want the best tool for the job. There are far more apps out there so it makes sense the number of apps is increasing. It wouldn't increase if it weren't for increased need, and all that shows a widening attack surface. So, picking the best tool for the job, with the expansion of app adoption naturally increases the threat landscape" - which in turn mandates greater needs for security apps, as savvy organisations realise.
"The average number of apps stalled for a good amount of time in the mid 2019's," Isola said. "There is an even larger attack surface to secure."
Enter IPSIE, the Interoperability Profiling for Secure Identity in the Enterprise working group. Okta is a founding member of this group, and it is developing the first unified identity security standard for enterprise apps and resources.
"The idea of IPSIE is a universal standard for identity security to apply to every enterprise app. Making an overall standard across every app means security sensibility is built into them," Isola said.
A large driver, Isola explained, is that companies know today the cost of a breach is high. They've learned over the last 10 years the reputational damage and financial cost that a breach can cause. Security has moved from being a challenge for the tech team to part of the company's board-level risk management. This, Isola believes, is influencing the move to high-assurance security factors such as OktaPush, from the old, insecure security questions that were so common back in 2015.
It comes as no surprise the research found attacks are trending upwards in all countries around the world, and just as enterprises worldwide are striving to do more with less, via AI, so too are the bad guys. "AI is being used by threat actors. Attackers are using AI to create sophisticated phishing scams and deepfake scams and they can do it at scale," Isola said.
Fortunately, the research also found organisations are fighting back by using identity verification solutions that bring phishing-proof methods with higher-assurance factors to identify who people are, and to ensure the right people have access to the right tools.
The report states that businesses that "get identity right will win the future of work." iTWire asked what this means in practical terms. "Identity is still security," Isola said, "but when done well it is frictionless. Employees and workers are able to use the tools they need to do the work they need to do, while companies have assurance it's the right people with the right tools, and for the time they need."
Identity is "not just saying who you are, but being where you said you would be."