Five reasons organisations are investing in Identity and Access Management

Identity and Access Management (IAM) is continuing to attract investment from businesses, with over 80% of global IT decision makers having already adopted or planning to adopt an IAM solution over the next two years, according to a study from Forrester. A variety of cyber security, compliancy and cost drivers are all helping to fuel the move – here are the five main reasons businesses are moving to adopt IAM.

1. Protecting against financial cost of data breaches

The average cost of a data breach has been rising steadily year-on-year, soaring to a record high of £3.36 million in the UK in 2021. As well as disruption to businesses, data breaches also incur additional financial penalties in lost customers, crisis management, assessment and audit services and legal costs.

The increasing frequency and severity of data breaches has also seen the costs of insurance against data breaches increase at a rapid rate. According to Aon, the average rate change from carriers moved from +12% in Q4 2020 to +35% in Q1 2021, a trend that shows little sign of slowing down.

Passwords are by far the biggest cause of data breaches, with 61% of successful breaches in 2021 involving credentials, a problem which an Identity & Access Management solution with Single Sign-On mitigates. By addressing the root cause of the problem and taking the responsibility of creating, managing and entering passwords away from end users, an IAM solution can significantly reduce the risk of cyberattacks which leverage weak passwords as an attack vector, including phishing, brute force, and credential stuffing.

2. Protecting against reputational risk of data breaches

While some costs incurred by data breaches are overtly attributable, such as regulatory fines, others can be more difficult to accurately forecast. Organisations that have suffered data breaches frequently report a negative impact on both customer and investor confidence. The effect on a company’s share price can be severe both in the short and long-term, with one study from Sustainability finding an average of an 18.5% loss over the following twelve months.

As well as posing risks to the business, there are also reputational risks for individuals to consider. While a data breach poses an obvious risk to CIOs and CISOs, the largest and most publicised data breaches over the past decade have also forced the resignation of CEOs, including those of Equifax and Target.

With the increased protection provided by an IAM solution against cyberattacks, organisations can demonstrate to both customers and investors that they have taken a proactive, risk-based approach to mitigating cyber security threats and keeping corporate data secure. This not only minimises the risks of data breaches, but also mitigates any reputational damage should one occur.

3. Meeting compliance obligations

As well as the direct costs incurred by data breaches, regulatory pressure is also becoming a significant driver for business’ investment in security. Regulatory fines are comprising an increasingly large percentage of the total cost of data breaches, and the risk of audit failure was the second-biggest driver of investment in cyber security projects in 2020, according to a Thycotic survey of more than 900 CISOs and senior IT decision makers.

General Data Protection Regulation (GDPR) laws, which the UK has retained post-Brexit, have been the most significant of these regulatory pressures. Fines issued by the Information Commissioner’s Office (ICO) reached a record £42 million in the financial year 2020/21, a staggering 1580% increase on the previous year. This included the record £20m fine handed to British Airways in October 2020, for failing to take adequate security measures to protect customers’ personal and financial data.

The UK Government’s National Cyber Security Centre sets out several guidelines for ensuring appropriate security measures have been taken to protect customer data. These include:

• “Strongly authenticate users who have privileged user access and consider two-factor or hardware authentication methods”
  
  
• “Have a robust password policy which avoid users having weak passwords”
  
  
• “Access rights granted to specific users must be understood, limited to those users who reasonably need such access to perform their function and removed when no longer needed”

While these comprise strong cyber security advice, it is extremely difficult for businesses to ensure employees adhere to these guidelines without a technological solution to enforce security policies. An IAM solution can help organisations achieve this by removing the burden from users and ensuring company-wide adherence to strict security practices through automated password-based authentication and leveraging passwordless authentication. The use of token-based authentication or password vaulting and forwarding ensures that no weak passwords are used to access corporate data, and automatic deprovisioning ensures that users are not left with access to data they no longer require.

4. Driving business efficiency and cost reduction

The migration towards cloud applications has resulted in the average enterprise now making use of 288 different cloud apps. But this rapid growth of cloud app usage also causes a parallel growth in the number of credentials required to access them. Remembering many unique, strong passwords has become an impossible task for most employees, and as a result, many turn to poor security practices such as weak and reused passwords. However, many of these credentials are simply forgotten, resulting in up to 40% of IT helpdesk calls being for password resets, causing significant downtime both for the employee and the IT department.

IAM solutions can eliminate both the security and productivity issues with passwords by employing Single Sign-On (SSO). Token-based authentication can replace passwords for many cloud applications, using open security standards such as OIDC and SAML to allow employees to quickly and securely access applications after signing into the corporate directory.

Where apps are not compatible with these protocols, automated password-based authentication can instead be deployed to give users a passwordless experience. High-entropy, unique passwords are generated for each application to ensure the end-user experience is practically identical, with users authenticated immediately upon accessing an application.

IAM solutions that leverage existing corporate directories can also greatly reduce the workload of IT departments in onboarding and offboarding users from applications. Policies can be configured within the IAM solution that enable user accounts to be provisioned on 3rd party applications based on group membership within the directory. Access can then automatically be revoked when the users is suspended or deleted from the directory. As well as the security benefits, users suffer far less downtime, IT departments can automate user account lifecycle management, and the business can enjoy the benefits to efficiency of cloud migration without compromising on security or productivity.

5. Facilitating secure hybrid working

The Covid-19 pandemic necessitated a rapid move towards remote working for many businesses, with most opting to retain at least a hybrid model in the future. The pace of the change, however, resulted in many organisations being unprepared for the additional security challenges posed by remote working.

Since the start of the pandemic, the FBI reported a 300% increase in cybercrimes as many organisations struggled to manage the security risks of remote working. Phishing was one of the most significant types of attacks to see a major increase, with a 2020 survey from Tessian showing 47% of tech workers had clicked on a phishing email while working from home. Brute force attacks also saw a significant surge, in part due the rapid increase in open RDP ports associated with remote working which were targeted by malicious actors.

A high-impact IAM solution is a key component in allowing an organisation to securely transition to remote and hybrid working models. With SSO in place, the threat of phishing is eliminated since users either rely on token-based authentication to access applications, or have password-based authentication automated without the credentials being disclosed to the user. The use of these methods also makes brute force attacks significantly harder due to the use of high-entropy passwords which are resilient to typical tactics such as credential stuffing.


As data becomes an increasingly valuable corporate asset, ensuring its safety and security has become a top priority for many enterprises. With the impact of costs associated with data breaches on organisations, as well as the advantages to efficiency and productivity, IAM solutions offer an effective cost to benefit ratio for many businesses.

Find out more about how IAM can protect your business from data breaches.