Cybercrime costs the UK billions of pounds, causes untold damage and threatens national security.
In fact, the government estimates the cost of cybercrime to the UK to be £27bn per year. In all probability, the real impact is likely to be much greater, with businesses bearing the brunt of the attacks at a cost of £21bn.
Regardless of type or size, any organisation can suffer a cyber attack at any time. Yet despite this, many business leaders believe their organisation is somehow different. Like most crimes, it’s natural to think ‘it won’t happen to me’ – until it does. Or they’ve simply become desensitised to the daily headlines detailing the latest major breach.
But the reality is, it’s no longer a question of ‘if’ but ‘when’ you fall victim to a cyber attack. And the consequences can be devastating. Even some of the largest security vendors in the world have found themselves in the middle of a cyber attack. After a data breach in October 2023, Okta’s leaders decided to take a holistic approach to the attack, investing time in a culture and mindset shift. The first step was to pause everything across the business and focus solely on security for 90 days, resetting the entire security culture as part of an initiative called project bedrock.
“We’re focusing on individuals, on culture, on how we help everyone across our industry - from customers to partners, prospects and peers - to understand what good looks like and what they should do when it doesn’t look right. It’s one of the fundamental backbones of a strong security culture,” explains Okta’s EMEA regional chief security officer, Stephen McDermid.
The four pillars of Okta’s secure identity commitment
Since being targeted, the company has sought to combine its cybersecurity expertise with its own experience of being breached to advise other organisations through actionable insights. The result of these efforts is the Okta secure identity commitment, a pledge to lead the industry in the fight against identity attacks.
1. Investing in market leading products and services
The first pillar is providing market-leading identity products and services, baking in security-by-design through a major investment to harden and secure its products. This includes some new enhancements and features made as a result of project bedrock.
“Typically, most threats will use some sort of identity or set credentials to get access and propagate across an organisation. So, we’re making sure our services and products are capable of helping protect against some of these threats,” says McDermid.
“An example would be identity threat protection with Okta AI, which looks at the context of each access request – it looks at the location, the device, the network, the time, the agent, the client – and provides a score analysis as to whether that’s access you would expect to see. The ability for organisations to set that context analysis around every access request really sets the tone and is fundamental to achieving zero trust.”
2. Hardening corporate infrastructure
For the second pillar, Okta is hardening its own corporate infrastructure, extending the boundary around its people, processes and partners. This means treating everything with the same threat profile as it would its customer-facing environment. So, removing personal access to Google Chrome accounts internally, or additional monitoring and alerting around its admins and the sessions they create.
This, says McDermid, “demonstrates to customers the steps that we have taken to drive a security culture and make sure that we are advocating best practices internally as well as externally.”
3. Champion customer best practices
The third pillar is championing customer best practice to help users get the best out of their Okta experience. “You will see Okta taking a much firmer line on making customers aware of where they are not following best practices and the risks that opens them up to,” says McDermid. “For example, we’ve implemented idle timeouts on admin sessions to make sure that customers are protected against common threats. Helping them understand how they can protect against the risks they’re facing is something we’re aiming for.”
4. A collaborative approach to security
Finally, Okta is thinking beyond its own business and customers, embracing the responsibility it has to elevate the entire industry to be better protected against attacks that originate through identity. Part of this includes a $50m funding injection through a programme called Okta for good, which extends assistance to non-profits working in areas such as social justice, climate change and investing in security skills.
Okta also believes in a collaborative approach to security. The company is at the forefront of the shared signals framework (SSF), an emerging standard enabling seamless security data exchange across the industry, alongside its continuous access evaluation profile (CAEP) interoperability with the likes of Apple and Cisco. The SSF is currently being developed by the OpenID Foundation, with the aim of making it easy for companies to share security events related to those who are using their systems. This allows organisations to leverage insights from various sources, creating a more comprehensive and unified security posture.
Cultural shift in addressing cyber threats
Throughout each of the pillars, Okta calls for a cultural shift in understanding and addressing cyber threats, while stressing the importance of driving security culture, industry leadership and a top-down commitment to cybersecurity.
“There is the old saying that culture eats strategy for breakfast, and I believe that’s true,” says McDermid. “If people understand the expectations and the environment in which they operate, then they should be well positioned to deal with these types of threats when faced with them.”
Okta sees its role as championing a holistic approach to cybersecurity for its customers, partners and the industry.
“As the world’s leading independent security provider, we are under threat constantly, fighting off more than 2 billion attacks every month. So, we need to share those insights and make sure our customers have visibility and understand them as well,” says McDermid.
As Okta has demonstrated, a data breach can happen to anyone. The threat landscape is constantly evolving and companies must do more to protect privileged identities and accounts. Business leaders must absorb these insights from Okta’s experience and take similar action to protect their organisations from the rising threat of cyber attack.
To find out more, visit www.okta.com/uk