Watch the recording of this webinar here.
Naz Ekim: (00:02)
Hi everyone. Thank you for joining our webinar today, Cybersecurity and the Remote Work Era: A Global Risk Report. I'm joined today by Dr. Eric Cole will be moderating along with Dr. Larry Ponemon and Darren Guccione, co-founder of Keeper Security. But before we dive in, I want to let everyone know that we are recording this event and that it will be shared with you afterwards, along with a copy of the report. And without waiting, Dr. Eric off to you.
Dr. Eric Cole: (00:34)
Welcome everyone. I am joined today by Larry Ponemon, the chairman of the Ponemon Institute, and Darren Guccione, CEO and co-founder of Keeper Security. This morning, Keeper announced the results of their new research Cybersecurity in the Remote Work Era: A Global Risk Report and today we're here to discuss the findings of this report with Larry and Darren. Before we dive into the report, Larry, can you tell us a little bit about the study and your methodology?
Dr. Larry Ponemon: (01:09)
Thank you, Eric. It's a pleasure to be here, and I know we're going to have a great conversation this afternoon. But this study is large, just to read some key stats with over 2,200 qualified respondents in IT and security. Basically, we covered a whole bunch of different geographies, including the United States, of course, United Kingdom, DACH, Benelux, Scandinavia, Australia, and even New Zealand. So we really covered the world. We really found some interesting issues, and probably it feels people are more teleworking, you probably know this firsthand. But there are new challenges that organizations are facing to prevent, detect, and contain cybersecurity attacks.
Bad guys are smart, and they see this as an opportunity to prey on innocent people, and I think that it's during this time of change it is also... We should be cognizant of the increased risk facing individuals as well as organizations. And by the way, if anyone's interested in seeing the paper, please read it. We'd love to send you a copy, and we always love to hear good feedback, even if it's negative. But we really are very proud of this study and working with Keeper has been an absolute joy, a great company to work with.
Dr. Eric Cole: (02:18)
Now, Larry, before we jump into the details, was there anything that was really surprising or shocked you as the results of the study came in?
Dr. Larry Ponemon: (02:26)
There are a number of shock statistics, and in fact, it's included in the presentation. So I don't want to steal anyone's thunder, but basically I think we found that people recognize that there's a security risk in the teleworking environment. They don't know what to do exactly because not many of these people are necessarily security gurus, but they basically acknowledge the risk and really see things is getting a lot worse before it gets better. So I think there was a lot of consistency, which is interesting, but also there were some stats that were jaw-dropping this huge percentages suggesting the problem is worse than we thought.
Dr. Eric Cole: (03:02)
Excellent. So let's go ahead and jump into the details. So organizations are very concerned that remote workers are putting them at risk for a data breach and/or security exploit. According to the report, which was announced this morning, the remote workforce has significantly reduced the effect of this of organization security posture from 71% down to 44%. This is a huge dip. Darren, why are remote workers such a threat?
Darren Guccione: (03:38)
Well, most organizations weren't ready for the abrupt massive migration into distributed remote work environments. So locking down and protecting those endpoints, albeit through the computers, both in terms of corporate mandated and owned devices, as well as the BYOD architecture was a huge challenge. So now they're grappling with trying to pull all that in and gain better security controls over those endpoints.
Dr. Eric Cole: (04:07)
Now, do you think that's just because people are working from home or is it because their home infrastructure has outdated operating systems and not secure wireless?
Darren Guccione: (04:17)
I think it's all of the above. I think what we're going to find through the course of this study is that at the end of the day, the password security risk is massive and it's proliferated extensively through this new arc, et cetera, in distributed remote work. And so it's become a greater challenge for organizations to wrap their arms around it and try to figure it out. We know what they need to do. So we're here today through the study, not just to provide statistics in terms of what came back to us and what's distracting, but also to provide some solutions.
Dr. Eric Cole: (04:51)
Excellent. And just carrying on from that, 44% also admit to having no idea how to respond to a data breach in a remote work environment. Darren, can you enlighten us as to what organizations need to do if they have been targeted of a data breach, especially in a remote environment?
Darren Guccione: (05:15)
I think the key is there's at the end of the day, there's no silver bullet in cybersecurity. So it requires a plethora of different technologies. It starts with a framework for cybersecurity protecting. So you have everything from endpoint security to enterprise password security, to privilege access control to two-factor authentication. I think the key here is, is that it starts with planning. And many organizations, in fact, the majority of them did not engage in adequate ultrabasive planning. And this situation just came in a very abrupt way and it forced the companies out there in the organizations to adopt major changes more on a retroactive basis. So being in a reactive position is always more difficult than being proactive. So I think it starts with proper planning. And then you build the framework around your internal control process in terms of incident response. And then you can start really deploying your cybersecurity strategy more methodically in that sense.
Dr. Eric Cole: (06:21)
Now, did it surprise you when you saw this result that just shy of 50% of organizations had no idea how to deal with a data breach in this new environment?
Darren Guccione: (06:32)
I was not surprised at all. How about you, Dr. Larry? I think he's on mute, but no, I was not surprised at all. I think that there's been this problem even before we went into distributed remote work. This has been a pervasive issue. Even when the majority of infrastructures were on premise, we've just seen it metastasize and proliferate by virtue of having the distributed remote work environment. Really just exploit this in a bigger way. So it's a problem that I think we have to lock down and take control over immediately and help people with.
Dr. Larry Ponemon: (07:14)
And by the way, I'm here again. I'm off of mute. And the only thing I would say is ditto, because everything you said makes really good sense, and there is a path forward and it may seem kind of rocky right now. Just so many people are teleworking and are concerned about security, but things are getting better.
Dr. Eric Cole: (07:28)
And just putting a bow on this, to me I'm sort of looking at this, that this is an indicator that companies quickly move to [audio issue].
Darren Guccione: (07:59)
I think we lost Dr. Eric's audio. Can you hear me?
Dr. Larry Ponemon: (08:04)
I hear you loud and clear.
Darren Guccione: (08:06)
I heard a phone ringing, then after the call you went on mute unintentionally. That is...
Dr. Eric Cole: (08:11)
Okay. Can you hear me now?
Darren Guccione: (08:14)
Perfectly.
Dr. Eric Cole: (08:15)
Okay.
Darren Guccione: (08:16)
You want to repeat that last segment please?
Dr. Eric Cole: (08:18)
Sure. So when I look at this number that just less than half admit to having no idea how to respond to a data breach in a remote environment, what I sort of look at, this is a deeper problem. That companies quickly move to a remote environment was focused solely on functionality and didn't really address security. So to me, this is really a bigger problem. That security is not really being addressed at all in a remote environment. And I was going to start with Darren and Larry, whether you agree with that, or you think this is just a one-off?
Darren Guccione: (08:49)
I don't think it's a one-off. I think that this is the fact that everything had to go distributed exploited a major problem that existed before this occurred. I think that there were conditions in the on-premise framework that were proliferated and exposed by virtue of going remote, right? It's not like, yes, you have more complexities and issues around going remote. But if the technologies are there to begin with, if you have the proper cybersecurity framework and the technology in place to protect those endpoints, whether they're on prem or off prem, the fact that someone's connected to, let's just say an on-prem network and they move to remote network. If you have the right technologies and software in place on those devices, it doesn't matter where you're connecting, it really doesn't. Because there's fantastic technologies out there that can protect that device as well as move information being transacted on that device, regardless of where you are. So that's really important to note.
Dr. Eric Cole: (09:59)
Larry, anything additional to add?
Dr. Larry Ponemon: (10:01)
Well, I think we said most of the main issues and suppose we should move on. I apologize for the phone ringing in the background.
Dr. Eric Cole: (10:11)
Yeah, that was a cool hack. For some reason, Larry's phone ringing knocked me offline. So that's pretty cool.
Dr. Larry Ponemon: (10:18)
I don't know how it did it, but it was amazing.
Darren Guccione: (10:18)
Yeah, especially since you're not sitting in the same state.
Dr. Eric Cole: (10:22)
Yeah. Larry, next question for you. Cause another stat that caught my eye was that 50% of respondents stated that cyber threats are becoming more severe with 47% admitting they're more targeted. Larry, can you tell us why you think this has happened and are cybercriminals really getting smarter?
Dr. Larry Ponemon: (10:47)
Well, it's a really good question. Some would argue no. Cybercriminals vary from people who are very junior to some incredible people who are like PhDs in physics. But in general, I think we are seeing more sophisticated and stealthy cyber attacks, and we're seeing it happen in all different places. Like for example, industrial controls 5, 10 years ago, we said, why would I worry about malware in that environment? But that thing's just hooked up. It's kind of standalone. And it turns out to be one of the great platforms for watching cybercrime around the world. So I think the cyber attacks are getting worse. The cybercriminals are well-funded. Some are really nice people, even though they commit awful crimes at times. So I think in general, that's probably driving some of these stats, but it is a very big concern about being targeted. I know in my own life, just as a civilian, that we're constantly being victimized by cyber attackers using all sorts of methods that are ingenious in some cases. So just be aware.
Dr. Eric Cole: (11:47)
Now I know most people, when they think of cyber attacks, they think of variations of phishing scams, right? Where they're very legitimate looking emails trying to trick somebody to click on a link or open an attachment. Is that still a big problem or are these attacks evolving beyond phishing?
Dr. Larry Ponemon: (12:05)
I'll tackle that and, Darren, if you want to chime in too.
Darren Guccione: (12:07)
We're seeing a lot more transactive activity from the dark web, a lot of more password stuffing, credential stuffing attacks. What most people don't realize is that, there's over 10 billion sets of stolen credentials from public data breaches that are aggregated on the dark web and cyber criminals transact on that stolen data all the time, because they know that more than 60% of the time an individual uses the same login credentials or multiple websites, applications, and systems.
So you're seeing a lot more of those types of attacks, not just the propagate ransomware, but other types of malicious zero-day attacks as well. So it's not just phishing. It's moving more extensively to the dark web. So the monitoring of the dark web and building in protections within the ecosystem of your technology that's running on the device, just to have that type of visibility and control over the password security of your entire architecture and ecosystem is of paramount importance.
Dr. Eric Cole: (13:13)
Excellent. So now that we understand those threats, let's delve a little deeper into the reason behind it. So as we talked about it, and you can see on this slide, credential theft and phishing were amongst top threat vectors cybercriminals utilized during COVID-19. And these have also increased 50 to 60%. Darren, can you build on your previous answer and sort of explain why credential theft and phishing are some of the most common types of threats and is this problem going to get any better in the future?
Darren Guccione: (13:47)
It's only going to get better if, I think, the public and private sector adopt more password security protections on these devices, because I think distributed remote work is here to stay in a very big and pervasive way. So right now cybercriminals saw that as a major feasting opportunity. I mean, in essence, they're eating at a buffet table right now. And so they're more voraciously attacking because they know that there's so many additional endpoints that are outside the protections of an on-prem environment, right? And so this is really the biggest issue. And so you're seeing upwards of five- and six-fold increase in the number of attacks against endpoints. And when someone's on a home network and there's nothing running on that particular device, let's just say a personal device at home that's being used to transact for work or commerce.
This is when you run into a huge problem because if they breach a home network and the devices are connected to that network, and you're transacting on that network for work purposes, your employer could have a real serious problem on their hands. So the governance and control of the data that's running on that device can be protected. You don't have to own the device to protect the information that's running on it. And that's a very important distinction in the ecosystem today, just because everyone went remote. And I can tell you that most organizations that I know of, they didn't just go out and buy new computers for everyone, say, "Here you go, take this home." People were utilizing their personal workstations and their mobile devices that they already owned to then transact because most of the companies today use cloud-based systems. They're just transacting against those cloud-based systems with personal devices. So it's a huge threat. It's a massive threat and cybercriminals are very smart and they know that. So they're taking complete advantage of it.
Dr. Eric Cole: (15:52)
Excellent. One thing on this chart, I just wanted to, Larry, to get your thoughts on is when a lot of people read the news over the last couple of months, it seemed like it was ransomware, ransomware, ransomware. Yet on this chart, ransomware is at the bottom and only 25%. How should an organization take that? Is ransomware not a threat anymore, or is it just not as prevalent as some of the other threats? But I just want to make sure the listeners don't walk away thinking that ransomware is not an issue and they don't have to worry about it.
Larry, you're on mute.
Dr. Larry Ponemon: (16:26)
I did it again. I can't believe it. This is what happens with old age. But 25% may seem like a high percentage... or a low percentage, but it's actually pretty high. But I think that the ransomware happens less frequently than say phishing and social engineering, but when it happens, it could be much more costly. And we started to see an evolution of ransomware where we're normally looking at small dollars, but now we're looking at potentially very large dollars and extortion. It's not just taking your data and encrypting it. It definitely a lot of the attacks are much more sophisticated as well. So ransomware is a problem that people should pay attention to, even if it's at the bottom of the list.
Dr. Eric Cole: (17:06)
Excellent. I think the other point is, one of the main delivery mechanisms of ransomware is often phishing and social engineering. So I think the ransomware can help drive that number and make it a little higher.
Darren Guccione: (17:18)
Yeah. This is the circular histogram, so to speak. So the fact that ransomware is at the bottom doesn't mean that it hasn't radically increased. So we saw an increase of over 400% the first three months of the pandemic, right? So March, April, May, June was enormous in terms of the increase in the number of ransomware incidents. Now that could still have a 25% attribution on a histogram like this. And as you said, Dr. Cole, I mean, it's really important that the targeted way in to lock up a computer and encrypt all of its data is definitely through phishing, social engineering, and credential theft. Credential theft, again, is being driven by the dark web mechanism. That is the number one source for these types of propagated attacks.
Dr. Eric Cole: (18:12)
Excellent. That's great data. And I tell you, as I went through this report to prepare for this call, there was so many fascinating figures that came out. And another interesting point is that over 70% of businesses think remote workers pose a major concern for a data breach, but yet only 35% use two-factor authentication or multi-factor authentication as an authentication method. Darren, can you explain why authentication methods should be more adopted amongst organizations? It's just, to me, seems like a simple one, but organizations just don't seem to be doing it.
Darren Guccione: (18:51)
Yeah. It's... I don't know. We talk about this year after year, two-factor authentication is one of the most cost-effective methods you can implement to thwart a remote data breach. Period. Like it is absolutely effective and mitigating the risk of remote data breach as a major, major password security protection mechanism. It is so important. And so I always say, "Look, if the service provider offers a two-factor authentication scheme, turn it on." I mean, absolutely turn it on. Yes. It might take you an extra one to three seconds to authenticate and access your website, application, or system, but by all means, absolutely turn it on. It's very, very important.
Dr. Eric Cole: (19:43)
So just digging a little deeper on that, it seems like most organizations know the value of two-factor and multi-factor authentication. In your opinion, why is it that organizations aren't implementing it? Why aren't they following this simple solution that's out there?
Darren Guccione: (20:00)
Well, it's not that organizations aren't following it. You want to make sure that when you adopt it at the organizational level, that your end users, your employees and your subcontractors are actually implementing and using it, right? So enforcement and policies are very important with respect to these technology ecosystems, right? Because you can provision two-factor authentication to a device, right, for 10,000 employees. But if you don't enforce it, if you don't have the mechanism to track it and enforce it, then it's meaningless. So I think that you're seeing two things. Number one, there's plenty of organizations that are adopting it. And some, yes, they do a great job enforcing it, but we see organizations that haven't adopted it. And that the ones that have adopted it, they're not properly enforcing it because they don't have the right technologies in place to do it.
Dr. Eric Cole: (20:58)
Excellent. So it sounds like this is definitely an area where organizations can start to improve. So now that we've looked at the threats, let's start looking at some of the best practices for mitigating the risk of data breaches. So I'll go to you, Larry, on this one. When we're talking about mitigating these risks, the IT budget is one of the first roadblocks that pop up. Why do you think that is?
Dr. Larry Ponemon: (21:25)
Well, we've been looking at this issue for almost 20 years. That's the age of our company. And even long before that, and what we find is that there is this idea that cheap is good. That you could get away with cheap. You don't have to spend lots of money and you can do 90% of the heavy lifting from a security perspective. Well, that's definitely not true.
I also think a lot of folks don't really know how to evaluate the value proposition of their security infrastructure. And if you do that, you have a place from which you can at least negotiate with senior management. But things are getting better, in this regard. We have seen a budget appropriation across different industries, including government is actually increasing statistically each and every year over the last eight or nine years. So companies are waking up to it, but still there's a long gap, big gap between what's being spent versus what organizations have and budgets that have been allocated to it.
Dr. Eric Cole: (22:20)
Now this next number that only 39% have the necessary in-house expertise when a data breach happens. This sort of surprises me because when I talk to CEOs and board of directors, handling a data breach is one of their top concerns yet they don't seem to be spending the money. What is the reason for that? Is it that they're not getting the proper information or they don't understand the value? Why is there such a big disconnect between the importance of security to an organization and the money being spent?
Dr. Larry Ponemon: (22:50)
Well, we do a cost of data breach study every year. And we actually try to figure out what's motivating companies from spending, or in some cases, not spending enough. And we find that there is a kind of this wishful thinking, that if they have a data breach, it's a 1 in 1,000 chance. So they just like rolling the dice. If we don't spend in security today, the likelihood there won't be a data breach tomorrow, but it's not true. Another study that we did recently shows that almost every organization of, say more than 500 people person head count, almost every one of these organizations had at least one data breach in the last 24 months. So a data breach is a very common and, as you can know from history, can be very costly.
Dr. Eric Cole: (23:30)
So if you're working at an organization, whether it's security engineering or even a SISO role, and you don't have the budget you need, is the solution to better educate your executives? Or what would you recommend to help remediate this problem?
Dr. Larry Ponemon: (23:44)
The step one is in education. Talk to the board. Talk to C-level executives who may not be smart in IT issues, trying to convince them that there's real value proposition to having a strong security posture. And I think people are listening. People are more sensitive to this issue than it was before, but we have a long ways to go because most C-level, non-IT C-level executives don't really see security as their problem, but someone else's. Good question though. Thank you.
Dr. Eric Cole: (24:14)
And then just jumping to the other spectrum from the executives and out to the users, it seems like almost any year, we could see a slide like this where remote employees are so concerned about getting their job done, as opposed to the security. How do we solve this problem to make remote employees really recognize that they need to embrace cybersecurity and they're part of the solution?
Dr. Larry Ponemon: (24:41)
Darren, you want to tackle that first?
Darren Guccione: (24:42)
Sure. I mean, I think it comes down to setting policies and educating, and these are the two best things that you can do. I mean, just set very clear policies within your organization's internal controls. Every company should and I assume that you have an employee handbook, I would hope. Make it a very straightforward policy and do constant positive education. You know, we do it here. It's very straightforward. It's meaningful, especially to those team members that are constantly onboarding as well as refreshing every quarter. Running new cybersecurity best practices across the board and educating your team members on a successive basis is really important. A lot of the threat factors, they evolve over time. You'll see something shift, you'll see new schemes come into play, phishing changes, right? It's not just relegated to email, but it's also relegated to text messaging and not enough people talk about that either. Right? So it's extremely important, I think, just to positively educate and make your entire team part of the solution, not part of the problem.
Dr. Eric Cole: (26:02)
No, no, I agree with that. And this next slide always amazes me because you hear security people saying that our employees aren't doing what they're supposed to. They're not doing what they're supposed to yet half of these companies aren't providing the training that the employees need. But can you briefly comment when we're talking about training, is this something that has to be super complex or is it just 15, 20 minutes periodically, just to remind the employees of the importance of security?
Darren Guccione: (26:29)
There is an exponential difference in life between knowing a teeny bit about something and knowing zero about something. So the difference of spending like 30 minutes or an hour for a team member to walk through a beautifully organized web-based training process, just a very simple course, here's the course, set up a group environment for it, and answer a few questions just to verify your knowledge, run some simulation on phishing, which is really important. Like we run those no less than once a month here for existing and new team members, it's incredible, right? What you're going to learn and what you're going to find out and it's really important. So I think at the end of the day, just have to understand that there is an exponential improvement in terms of a cybersecurity posture and the way that an organization is going to be protected when you offer this training as an employee benefit. And it's so inexpensive to do it, it doesn't require a lot of money for the investment.
It doesn't require a lot of time and it's actually fun. Because most employees that come into a business, they know what cybersecurity is as a word, but they really have no clue in terms of what it really means and how pervasive it is. So, I think a lot of people find the term fascinating and they want to learn more about it. So there's ways to just make it fun. And a lot of the vendors that provide these courses do a great job of gamifying it. So something really, to really think about.
Dr. Eric Cole: (28:13)
No, I agree. It can absolutely be fun and a little bit goes a long way. And just adding on that, the thing I found a lot is making it personal. So instead of just talking about how do you protect your work data, talk about keeping your family safe, your children and others, and then people really engage very, very quickly. Now just moving on to another key area, identity and access management. From the research, we can see that 71% of respondents think identity and access management is the leading tech for mitigating the risk of data breaches. Darren, can you explain why identity and access management is a crucial part of security? And do you agree with those results?
Darren Guccione: (28:58)
Yeah, I mean, I agree. I mean, that's the business that we're in and we're in that business because it's so important. The whole premise of identity and access management is simply to make sure that the right person accesses the right information on the right device at the right time, from the right location, right? You should be able to control and have full visibility and knowledge of that entire ecosystem in terms of the architecture, in terms of the framework on every device, across every team member that's utilizing or transacting on your organization's information. You should be able to lock that down and track everything that's happening throughout that system.
And so, identity and access management is really important because it establishes the whole security framework of an organization. You cannot have strong cybersecurity without an IAM strategy. It is like the nucleus of your cybersecurity strategy. It starts with identity access management, and then it branches outward, right? And that's where you see all these other endpoint security solutions, orchestration, automation. All of these things are also important. But if I had to say, "Okay, what's the nucleus of every cybersecurity strategy?" It starts with identity and access management every single time.
Dr. Eric Cole: (30:18)
So is it fair to say that if an organization is struggling with security, and identity and access management is not on their security roadmap, they should carefully look at adjusting or changing that approach?
Darren Guccione: (30:30)
Yeah. I mean, I would be bold enough to say if you are building out a cybersecurity strategy and you do not consider and build in identity and access management as part of that strategy, then you really don't have a cybersecurity strategy. You will be doomed. Period, right? So you could have the best endpoint security software out there. But for example, if you don't have enterprise password security or SSO or two-factor authentication or secrets management or privileged access control, you're going to be in real serious trouble.
So you have to really think about this from a comprehensive solution. So those things that I just rang off all fit within the identity and access management ecosystem. It's all around protecting the authentication process, protecting passwords, login credentials, metadata files, right? Preventing the remote data breach or the use of two-factor authentication. It's about policies. It's about enforcement. It's about event logging and reporting and tracking and auditing. So it's all of those things roped into a single ecosystem of technologies and it's really important. So I always say like, that's the nucleus of any great cybersecurity strategy.
Dr. Eric Cole: (31:53)
And then just building on that and, Larry, just wanted to get your thoughts cause I know it's still 51%, but your SIEM solution, your security information and event management, is sort of lower on that list. Do you think that's because that has become more of a mature technology that organizations are implementing or is it just based on how the attack vectors have evolved and changed?
Dr. Larry Ponemon: (32:13)
I think it's a combination of both, especially to attack vectors and the change that we've seen over the last few years. Things like behavioral analytics was just a concept. A lot of companies talked about it, but didn't really implement it very well. In fact, one of the reasons they had problems, they didn't have adequate IAM education process. What Darren mentioned, that's the core of everything. And when some of these leading technologies as a standalone solution, is not as effective as we originally thought. So I think the moral of the story is as organizations mature in more resources, then some of these other solutions become more salient.
Dr. Eric Cole: (32:52)
Excellent. And then just start to wrap this up. Darren, what are some of your cybersecurity tips for your audience? What's sort of your top two or three key takeaways from this study and then we'll jump over to Larry to get his thoughts on key takeaways also.
Darren Guccione: (33:08)
Yeah. I mean, I could talk for hours just on this slide, right? We've only listed five bullets here, but there's probably 50. But I would say, look, I mean everything here, I don't have to read the entire slide, but I would say if you're at the organizational level, make sure you do regular far more updates. Do all the security updates and patches on your internal systems. Develop a cybersecurity strategy that starts with identity and access management. Make sure you cover all of the key elements. It's like spokes in a wheel with identity and access management. If you have questions, reach out to me. I'll help provide guidance in that regard in terms of how you should proceed and take a look at that. But I think from a remote, distributed remote work environment, the world that we live in today, utilizing VPNs, I think, is of paramount importance to make sure that whatever network you're on, right, you have to look at it like, okay, how do we put a cloak of armor around this?
And that cloak of armor is a simple word encryption, right? The key here is you want end-to-end encryption on your information. You want data both at rest and in transit to be encrypted. And you also want that pipe that internet pipe, that everything is going through that also has to be encrypted. Using two-factor and multi-factor authentication, huge, like so important. So cost-effective, but it has like, we say that it has this massive cost of value spread doesn't cost as much. And it provides this massive value in terms of protecting you against the remote data breach, have a great comprehensive view of your privileged identities throughout the organization. We've mentioned the software updates and the patches and make sure your employees have a clear path.
Like if there's an incident, does your team member know exactly who to report it to? Right? Who do they contact in the organization? Like we found that so many people, in companies that have more than 10,000 employees, if there's an incident and one of their endpoints working from home, who do they report it to? Many people have no clue. It doesn't go to HR, right? It needs to be, it needs to go to a designated security officer at the organization or someone in IT. And then regularly educate the employees on cybersecurity best practices I think is absolutely so important.
So again, I think that the key takeaway is there is no silver bullet in cybersecurity. There just isn't, but cybersecurity has to start with password security. If you do not protect your passwords and your login credentials, both at rest and in transit with full end-to-end encryption, full zero trust and zero knowledge, you're in real serious trouble, right? You can have the best endpoint security, the best malware defense, but at the end of the day, more than 80% of all cyber breaches are a result of weak password security. That's where they're attacking. That's why the dark web exists in terms of these credential stuffing and password stuffing attacks. So hopefully this was a great benefit to people today.
Dr. Eric Cole: (36:22)
And, Larry, just because you really analyze and live with this data, what is sort of your biggest takeaway that you want to leave the audience with?
Dr. Larry Ponemon: (36:31)
Well, I think it's everything that Darren said. Is it starts with, you have to have an infrastructure. The core of that infrastructure is identity and access management slash with education. If you don't do that well, everything else starts to fall apart. Another issue that I think is very important because the focus is sometimes on the technical issues more than the organizational cultural issues. Security is a thing that has a very strong cultural element. And if people aren't working together and pulling together, aligning their processes, having the policies and then the right tools in place. If they're not doing it from a governance perspective, you start to see the serious decline in the value of the program. But I think everything Darren said is if the key variable is so important and evident to identity and access management at work. So, congratulations to Keeper.
Darren Guccione: (37:24)
Well, thank you, Dr. Cole, Dr. Larry Ponemon. Thank you so much. And Dr. Ponemon, thanks again for sponsoring this study. We love working with you and your organization as well as your team. Thank you so much.
Dr. Eric Cole: (37:38)
The only thing I want to leave with the audience is this presentation gave a overview of the key areas, but I really want you to download the full report. There's so much good information in this report. I spent multiple hours going through it and it helped me with a lot of my clients. So download the report and really digest the valuable information that's in the report.
Naz Ekim: (37:58)
Thank you so much all. Thank you, Dr. Cole. Thank you Larry and Darren. We will be sharing the recording of this as well as the full report. Thank you all for joining. And then we will be answering your questions separately after the webinar. Thank you.
Dr. Larry Ponemon: (38:11)
Thank you.
Darren Guccione: (38:12)
Thank you, everyone.