Addressing Account Takeovers: Security Leaders Share Their Concerns

For many security stakeholders, the phrase “account takeover” brings to mind email account compromise. But today’s cloud application ecosystems are increasingly broad, interdependent, and complex. As these apps proliferate—and become ever more integral to key operational processes—additional points of entry into enterprise environments emerge.

At the same time, it’s progressively more difficult to maintain centralized visibility and unified control across diverse collections of cloud services. This is especially true when different business units are individually responsible for their own apps.

To better understand the challenges that security stakeholders face in this area, as well as how they are thinking about solutions, we surveyed over 300 security professionals across an array of global industries and organization sizes. Participants shared their views about the account takeover threat, where standard countermeasures fall short, and which features the ideal security solution offers.

Here are a few of the key takeaways from the report.

Already a severe threat, account takeover attacks have grown in prevalence in recent years. Threat actors are making more attempts to harvest credentials, steal active session cookies, or otherwise gain access to email and cloud software accounts. Unfortunately, an escalation in attempted attacks creates additional opportunities for success—and more dire consequences.

Given the increased volume of account takeover attacks—and the power that success puts into criminal hands—it’s no surprise that two-thirds of survey respondents listed account takeover attacks as one of the top four cyber threats that concern them the most. This makes ATO the leading worry for security leaders—even ahead of the threats that dominate headlines, like ransomware and spear phishing.

The anxiety about account takeovers is certainly justified, as survey participants are already experiencing this problem firsthand. A significant majority (83%) reported that their organization had been impacted by an account takeover attack at least once over the past year. Further, nearly half of organizations were impacted by ATO more than five times within the past year, while almost 20% had experienced 10 or more significant ATO attacks.

Over 70% of stakeholders claimed they “strongly agree” that preventing account takeovers is a primary concern, with fewer than 1% stating they disagreed with that sentiment. That said, there appeared to be increasing awareness that even some of the security measures previously considered the gold standard in ATO prevention aren’t suitably effective against modern cloud account takeover.

A mere 37% of respondents reported having strong confidence in the effectiveness of multi-factor authentication (MFA) in protecting against these threats. This is a justified opinion, as threat researchers observed a significant increase in MFA bypass attacks over the past year.

An investigation conducted by Kroll Advisory discovered that 90% of the successful adversary-in-the-middle (AiTM) and business email compromise (BEC) attacks it analyzed occurred while MFA was already in place.

Survey participants are even less confident in single sign-on (SSO) technology, another widely implemented ATO protection measure with limited efficacy. A full 65% of security stakeholders reported a lack of confidence in SSO’s ability to protect against compromised accounts. SSO does have benefits—for instance, it’s easier to apply rules requiring strong passwords since these have to be enforced in only one place. However, SSO still has a significant downside: once compromised, it offers attackers ease and simplicity when it comes to lateral movement across the environment.

Considering the large number of successful account takeovers and their devastating consequences, it’s clear that defenses—across geographies, organizational sizes, and industries—could be more effective than they are today.

To gain better insight into why stopping ATO is a growing problem, survey participants were asked about their biggest obstacles to preventing account takeovers. Nearly 60% of stakeholders chose concern about potential business disruptions as the leading response. This is understandable, as automatically blocking account access when suspected ATO activity is detected can drastically interfere with operations—especially when this access is for mission-critical business applications.

Insufficient automation, also near the top of the list of inhibitors, was mentioned by half of the participants. Again, this is reasonable, given the need for speed in effective defense. Insufficient integration among the organization’s security solutions was similarly ranked and is closely related to the next-most highly ranked inhibitor: insufficient visibility.

To counter these threats, security teams need consistent, uniform visibility and control across often disparate ecosystems of cloud apps and services. Unfortunately, currently available tools often offer only fragmented visibility, protect only some applications, and neither correlate events nor deliver actionable insights.

Regarding their initiatives to upgrade their defenses against account takeover attacks within the next year, more than half of survey participants stated that improving integration among their current security tools was a top priority. Such integration is key because these attacks typically leave multiple signals across different applications, particularly as threat actors move between platforms.

Additionally, 41% of respondents reported the need to replace current tools and solutions with better ones. This is likely a result of the dissatisfaction leaders feel with the capabilities that are most widely available and most popular today—underscoring the need for a new and radically better approach.

When asked to list the most important features of an ideal solution for defending against account takeover attacks, 66% cited the accuracy of detection and prevention capabilities as the #1 requirement. This was closely followed by the ease of integration with existing tools and workflows (58%), coverage for all of the organization’s applications (57%), and ease of deployment (46%).

The threat posed by account takeover attacks has long been pressing and severe, but recent technological advances have made it easier than ever for cybercriminals to trick end users into giving up their credentials. Threat actors today use an array of effective strategies—ranging from brute forcing and credential stuffing to session hijacking—to gain access to business email and cloud software accounts.

Not only can account takeover attacks be widely and almost instantly destructive, but the tools that security teams have relied on to detect and stop them aren’t adequate for the problem at hand. With the lack of cross-platform visibility and few ways to control the full spectrum of enterprise applications, it’s clear that there is a need for a new approach to account takeover detection and remediation.

For more insights into how modern security leaders are addressing the threat of account takeover, download the report.