Industry executives and experts share their predictions for 2023.  Read them in this 15th annual VMblog.com series exclusive.

Tech Taking Over the Security Burden and What Else to Expect in 2023

By Eric Avigdor, Senior Director of Product Management, JumpCloud

Organizations have adapted well to hybrid and remote work, due in large part to the IT admins who have managed and secured user access across a complicated IT landscape. Our recent research shows that 10% of IT admins use nine or more tools to simply manage the employee lifecycle and 16% of admins estimate employees need 10 or more passwords to do their jobs. This kind of tool sprawl introduces all kinds of security risk, as it requires a perimeter to be drawn around every access transaction, on any device, in any location. These increased vulnerabilities come at a time of increased targeting of organizations, especially small and medium-sized enterprises. Verizon's 2021 Data Breach Incident Report (DBIR) found that SMEs are now experiencing the same types and frequency of attacks that have historically been more unique to large enterprises.

As organizations of all size look to bolster their security posture in the coming year, here are three things I think we'll see: 

A transfer of risk to technology

Many organizations have been slow to create and/or adopt policies and practices for employees to follow regarding device use, especially around personal devices. Good employees with no ill intentions will still log in from a personal device, let a family member use their work device for personal reasons, or log in using the local coffee shop's network. 

Employees want to be able to do their job without complications, and if IT teams can make that experience as friction-free as possible, then good security practices will follow. A few steps that can help include:

• Using MFA methods that aren't complicated. You can take advantage of native-built device tools like a fingerprint reader or Face ID.
• Centrally managing patch management. Organizations are looking for trouble if they expect users to accept updates and patches with the same diligence an IT team would. Manage it for them through installed agents that can ensure updates have been downloaded and install those updates when it will least impact employees' work.
• Getting rid of multiple passwords. Deploying SSO or a password manager mitigates the risk of employees using the same password across multiple sites and eliminates the incentives for users to lean on easy-to-remember (and easy to crack) passwords. 
• Implementing conditional access policies. Using a model of least privileged access can connect employees with the resources they need without too liberal of permissions. 
• Establishing device trust. This is important for company and personal devices, and can be done with a light touch, such as using an agent that can remotely lock a stolen device, or a heavy one which can manage device configuration and applications, and silo data determined to be sensitive
• Manage personal device activity: For environments that rely on the use of personal devices, plan to enable limited access to low risk environments in a BYOD environment by leveraging technologies that allow organizations to register and allow access by specific devices. 

Uptick in Biometrics

The rise of MFA fatigue attacks and what businesses are doing to repel them will be a big theme in 2023. I think organizations will turn more attention to developing (and communicating) best practices and creating more intentional training programs for employees around security policy and user expectations. But also coming out of this will be a big increase in corporate use of biometrics as a MFA step to eliminate the potential trickery of emailed and texted passwords. Passkeys, an authentication system that replaces traditional passwords with cryptographic keys, are becoming more common in enterprise authentication. FIDO offers a strong framework for passkeys for companies looking to move toward passwordless, and both will play a role in driving adoption of biometrics.

SSO

We'll see accelerated adoption of single-sign on. SSO adoption has been on an upward trajectory but there's still plenty of room to grow - our research found that 46% of small and medium-sized enterprises currently use SSO across their entire organization. As security threats continue to evolve, more organizations will centralize log-ins as a way to reduce the attack vector and also mitigate employee behavior that might compromise credentials. 

I think 2023 will be the year in which we'll reach the fulcrum of technology use in identity and access management, and move toward platforms over endpoint solutions. IT teams have ably managed the last two years with tenacity and relentless determination to secure their organizations and make work as easy as possible for employees. Now that hybrid models have settled into a kind of normalization, I believe IT admins will be on the lookout for how they can reduce employee-based risk and how they can consolidate tools for more secure IT management.

##

ABOUT THE AUTHOR

Eric Avigdor is a senior of product management at JumpCloud. Prior to JumpCloud, Eric served in senior roles at Gemalto (acquired by Thales), Aladdin, and ECI Telecom. Eric has over two decades of experience in hardware design, security, and product management.