Cyber threats on the rise: The widespread use of breached credentials

Richard Marr, Head of Digital Native Business, APJ at Okta emphasises why identity and securing it is especially important for digital native businesses.

EITN: Who is Okta and what’s the company’s strategy for addressing Malaysian DNBs’ needs?

Richard: Okta is the World’s Identity Company. As the leading independent Identity partner, we free everyone to safely use any technology—anywhere, on any device or app. The most trusted brands trust Okta to enable secure access, authentication, and automation.

With flexibility and neutrality at the core of our Okta Workforce Identity and Customer Identity Clouds, business leaders and developers can focus on innovation and accelerate digital transformation, thanks to customizable solutions and more than 7,000 pre-built integrations. 

Every digital interaction begins with identity. Given that digital native businesses (DNBs) conduct their operations almost entirely through digital touchpoints, Okta is uniquely positioned to address their digital identity needs.

EITN: What types of DNBs are prevalent in Malaysia, and what are the business challenges they face?

Richard: DNBs are the lifeblood of the future digital economy. With growing investments in digital natives and an exponential growth of companies born in the digital age, digital natives are an up-and-coming component of Malaysia’s economy.

Malaysia has a well-developed startup ecosystem and DNBs across a wide variety of sectors such as e-commerce, fintech, digital payments, urban mobility, logistics, travel and so on. This includes the five digital banks that were awarded licenses in 2022 and are preparing to launch in Malaysia.

Maintaining the balance between security and user experience (UX) is critical for DNBs, especially in today’s heightened cyber threat environment and hyper-competitive digital economy.

Okta’s recent State of Secure Identity Report 2022 highlighted the exponential rise of cyber threats including fraudulent registration, credential stuffing attacks, and the widespread use of breached credentials. In the first three months of 2022 alone, Auth0, Okta’s access management platform, observed almost 300 million fraudulent accounts, accounting for about 23% of signup attempts, up from 15% in the same period last year.

One of the main challenges faced by DNBs that we’ve seen is how they can manage identity and access management (IAM) while innovating and scaling up their business operations. Oftentimes, developing IAM solutions from scratch or managing identity can take time and resources away from business-critical activities. If IAM and security are not managed well, DNBs will bear the brunt of the adverse impact to corporate reputation, customer trust, and potential penalties from regulatory bodies in the event of any breach.

EITN: How can technology help them overcome some of these challenges and grow their business?

Richard: DNBs are often faced with the choice between security and user-friendliness when designing their digital interfaces. Conventional wisdom tells us that you can make an application super secure, but very inconvenient to use. Or you can make it super convenient, but at the cost of security or privacy. This is a false choice.

DNBs can consider working with IAM experts and leverage tried-and-tested solutions, such as those from Okta, which makes it possible to improve the overall customer experience (CX) and keep customers secure at the same time, all while enabling app builders to focus on what is most important – innovating for their customers.

The ability to streamline registration and login across any device, stack, or platform also enables higher customer acquisition and retention, a better experience, and a fuller view of users for administrators.

Okta can help DNBs get enterprise-ready, onboard new users, and manage authentication across customers and employees, without diverting development resources away from their core product.

EITN: As references, how are DNB customers in the APAC region using Okta?

Richard: Singlife is one of our DNB customers in the APAC region. The company was formed through the merger of Singlife and Aviva Singapore, bringing together one of Singapore’s youngest homegrown digital-native financial services company and one of the world’s oldest insurers.

Okta was tasked with integrating the cloud-first, mobile-native operation at Singlife with the more data centre driven traditional stack at Aviva to provide a simplified, seamless and secure login experience for customers.

All in all, Okta helped migrate more than 1.5 million customer identities to the newly integrated financial services company. Singlife’s advisers now have access to the right customer information at their fingertips, while customers can self-service simple tasks like updating contact details and access the information they need, all in one place. Okta’s identity and access management system also opens up opportunities for new experiences and new data intelligence to emerge through smarter customer analytics.

As part of a highly regulated industry, Okta’s ISO standards and certifications also helped ensure Singlife was able to fulfil industry compliance standards.

Okta’s extensible, easy-to-use, neutral technology allows DNBs and legacy organisations alike to plug it in to their existing infrastructure with ease while enabling a more seamless and secure digital experience for their end-users.

EITN: Beyond technology, what other measures can DNBs take  ̶  for instance in terms of people and processes  ̶  to improve customer experience while staying secure and keeping data private?

Richard: There are several measures that digital native businesses (DNBs) can take to improve customer experience while staying secure and keeping data private.

Having a Chief Experience Officer (CXO) or someone in a similar capacity to oversee the entire customer experience across all touchpoints will be critical to ensuring this.

DNBs will also need to develop a robust and comprehensive data privacy policy that is in compliance with local regulations in their jurisdiction.

On the employee front, DNBs should invest in employee training to ensure that all employees understand and follow data privacy and security protocols.

Lastly, they should conduct regular security audits to identify vulnerabilities and address them before they can be exploited by potential threat actors.

EITN: Customer identity trends and predictions for 2023

Richard: Looking ahead, we do see several trends in the customer identity and access management space becoming more prevalent in 2023.

• Anti-phishing: More APAC organisations will pivot to authentication mechanisms that offer greater resistance to phishing attacks. Multi-factor authentication (MFA) is one example, as it limits what an adversary can do with a stolen password, and creates numerous detection opportunities when an adversary attempts to bypass it.

• Passwordless authentication: Organisations will look beyond the traditional password authentication method, embracing passwordless methods such as biometric input (facial recognition or fingerprint) or hardware tokens. These can be combined with systems that check passive signals such as user behavior, atypical Web traffic and physical location to bolster defenses against access via stolen credentials.

• Rethink standing privileges: Vulnerabilities are extended when standing privileges to critical infrastructure remain when the users no longer require them. Administrators will need to integrate identity governance and administration (IGA) and privileged access manager (PAM) capabilities with identity and access management (IAM), ensuring that IT has more power and control over access management without compromising on security or user experience.

• Decentralised identity: Instead of relying on centralised databases, organisations will look to more decentralised forms of identity to bolster their defenses against credential theft. Individuals will also have more control over their personal information storage and use. Being decentralised means it will not be as easy for threat actors to take over vast amounts of digital identities, thus reducing the risk of misuse and simplifying compliance requirements.