In India’s rapidly changing digital environment, the threat of cybercrime looms larger than ever, with businesses facing an array of threats, from data breaches to ransomware attacks. As businesses in India grapple with these challenges, the importance of strong cybersecurity measures has never been more apparent. Okta, a leading identity provider, offers valuable insights into navigating this complex terrain, drawing from its own experiences and expertise.
The consequences of a cyberattack can result in financial losses, reputational damage, and compromised data security. Recent studies reveal the severity of the situation. According to IDC, a staggering 78% of Indian enterprises fell victim to ransomware attacks in 2023, with phishing being a primary conduit for these malicious events. The repercussions of such attacks are profound, with IBM’s Security Cost of a Data Breach report revealing a 28% increase in the average cost of data breaches in 2023 compared to 2020, reaching Rs 17.9 crore. Despite these figures, many organisations persist in believing they are unlikely to be a target. Brett Winterford, Okta’s APJ regional chief security officer, emphasises the stark reality facing businesses: It’s no longer a question of if but when you fall victim to a cyberattack. This reiterates the need for organisations to prioritise their cybersecurity resilience and readiness.
Lessons from Okta’s response to cyberattacks
Okta’s own encounter with an advanced adversary in October 2023 serves as an example for all businesses to adopt a proactive and comprehensive cybersecurity strategy. Following the October security incident, Okta’s leaders embarked on a 90-day sprint solely focused on security enhancements and reducing technical debt. “From a product perspective, we prioritised hardening Okta administrative sessions, API sessions and new default configurations, it was an effort our customers highly appreciate,” said Winterford.
The Okta Secure Identity Commitment, announced in February 2024, is the company’s way of demonstrating a longer-term commitment to solving security challenges. Okta’s goal is to create a security-first culture that will help to raise the bar for security across the SaaS ecosystem. Winterford continues, “Our ongoing program emphasises the delivery of best-in-class security features, hardening our corporate environment, championing security best practices, and elevating the role of identity to combat evolving threats.”
The initiative embodies Okta’s commitment to championing cybersecurity best practices across the industry. Winterford elaborates, “Over the first 90 days of our sprint, we built the necessary features in our own applications to address the ongoing menace posed by the theft and replay of session tokens and API tokens. The enhancements we delivered made use of open standards, many of which our engineers contributed to bodies like the IETF and OpenID Foundation. The next challenge is to build broader support for these standards such that any B2B SaaS vendor can achieve the same protection. If we can help the broader application ecosystem to step up, our mutual customers win at the end of the day. They will be far more resilient against these forms of attack.”
Winterford detailed how Okta’s secure identity commitment comprises four pillars:
1. Investing in market-leading products and services: Okta prioritises security-by-design, enhancing its identity products and services to mitigate evolving threats.
2. Hardening corporate infrastructure: Okta is adopting a holistic approach to security, applying the same vigilance to corporate systems as production environments.
3. Championing customer best practices: Okta empowers its customers to enhance their security posture through education and awareness initiatives.
Okta has already tightened policies on administrative access to the Okta Admin Console, enforcing use of MFA and introducing stronger default idle and maximum session durations. Okta is also introducing prompts in the administrative console to nudge users toward the use of passwordless, phishing resistant authenticators that offer far higher assurance.
4. A Collaborative approach to security: Okta recognises the importance of collaboration in combating cyber threats, extending support to nonprofits through initiatives like Okta for Good. Part of this includes a $50 million funding injection which extends assistance to nonprofits working in areas such as social justice, climate change, and investing in security skills. Okta is also investing in the ongoing development of the shared signals framework and universal logout, providing a seamless means of exchanging risk signals between Okta and the SaaS applications it secures access to.
Protecting against identity-based attacks
Winterford believes the most pressing identity-based attacks are forms of phishing and social engineering designed to defeat the first generation of MFA solutions. Organisations need to assess the degree to which their authentication policies can withstand threats like adversary-in-the-middle phishing, and whether their account recovery processes can withstand social engineering attacks. Enrolling users in phishing-resistant authenticators provides a superior user experience and prevents users from sharing credentials with attackers.” Okta is at the forefront of dealing with phishing attacks, protecting more than 18,000 customers. Okta sees its role as championing a holistic approach to cybersecurity for its customers, partners, and the industry.
“As the world’s leading independent identity provider, we expect our systems to be targeted constantly. We continue to share insights about what we observe to ensure customers are taking the appropriate protections.”