Cybersecurity remains a chief concern for middle market companies, and the battle against cybercriminals shows no signs of slowing. Hackers will take advantage of any vulnerability they can find to breach a network, and history has shown that accounts and systems secured by passwords are inherently at risk. Instead, proactive companies are focusing on passwordless digital identity strategies, with identity and access management (IAM) strategies at the forefront of that movement.
Many security strategies that companies commonly employ can lead directly to cybersecurity concerns. In the 2024 RSM US MMBI Cybersecurity Special Report, the leading digital identity measures among middle market companies were providing access as needed (31%), single identity access to systems such as single sign-on (24%), and disparate usernames and passwords (22%).
No method is perfect, but the first two of these strategies often require security personnel to manually commission and decommission access, which can be a challenge when companies have few internal resources and additional qualified talent can be difficult to hire and retain. Further, utilizing disparate passwords is no longer a truly effective strategy, as hackers can often guess passwords or user may write complex logins down on paper or store them in a file on their computer, creating low-hanging fruit for potential criminals.
The potential answer lies in the fourth most popular answer in the MMBI survey: Passwords are a thing of the past. While only 11% MMBI survey respondents indicated that they have gone passwordless at this point, the momentum behind these IAM strategies is growing. And for good reason.
In today’s technology environment, users, systems and devices all have their own identities, and often multiple identities, depending on what they are trying to accomplish. Unfortunately, those are difficult to harness and manage within traditional digital identity strategies.
“There are a couple of different aspects to IAM, and every company comes at it in different ways,” says Chad Wolcott, a managing director at RSM. “Ultimately, I see more organizations looking at IAM as an enabler to confidently manage those digital identities. It allows companies to manage that entry point into the organization and do it in an efficient and secure way.”
IAM enables companies to manage some very tactical security areas more effectively. For example, an effective IAM approach can help onboard people quickly so they can be productive immediately and access can be removed with they leave the organization. There are other security controls that can do that, but IAM creates a frictionless experience for employees and customers.
IAM is all about creating better user experiences within a company’s overall cybersecurity framework. From a security and access perspective, it’s the best of both worlds.
“It uses identity to help deliver an experience that empowers the user—whether that’s a customer or a member of your workforce,” says Daniel Gabriel, an RSM principal. “It’s really more of a business tool than anything else anymore.”
As companies consolidate and perform transactions, IAM can be a valuable tool to maintain security and create a consistent user experience.
“As companies buy up their competitors, you can have the same population that has different views of the organization,” says Wolcott. “If I have accounts with five different small banks and they all get acquired by a regional bank, that bank sees me as five different people. That’s not the experience I want as a customer. Using IAM to merge all that information together into a single experience is hugely powerful because then you can apply other controls on top of that to ensure everything is happening securely.”
Establishing an IAM approach is not a technology-first problem. Companies need to understand the key drivers in the organization and determine a strategy around what they want to accomplish. Use cases that need to be factored in should be detailed and then rightsized to fit the program before execution.
“Thirty percent of the identity challenge is technology,” says Wolcott. “The other 70% is the people, the process and dealing with bureaucracy. So, the best way to start is to understand what the organization’s needs are, and then build up that road map to meet those needs over time. It’s about incremental progress over delayed perfection. Do not try and do everything out of the gate—start small and build from there.”