It's time for 21st century security
The password may have been an effective security measure when it was first implemented in the 1960s, but in today's cyber criminal ridden world, a better solution is required, says Vasilis Polychronidis, CEO, iCrypto.
The recent news regarding the data breach at Liberty, where it was reported that extortionists wanted "millions" from the company to avoid the release of "top clients' critical information", would have been frightening to businesses of all sizes and across all verticals. But, even more terrifying should have been a headline that appeared in the wake of this story, which simply stated: "Liberty data breach: it could happen to any corporate".
Such a headline makes it clear that, while the Liberty situation is the topical issue right now and is clearly the most visible, it is merely the tip of the security iceberg. Moreover, a breach, like virtually every other one that has occurred, comes down to the same factor, that companies are compromised due to people... their own and partners within their ecosystem.
This is the real challenge faced by enterprises: no matter what security precautions are implemented or how many different types of systems are used, human beings remain the organisation's weakest link, says Vasilis Polychronidis, CEO of iCrypto. No matter what governance is enforced, how legislation is structured and what levels of compliance are implemented, unless something is done to eliminate the natural tendency of people to avoid more secure and perceived cumbersome processes, companies will continue to face the same security challenges over and over again.
A good example here would be a company that has a security policy in place that insists on password changes every month with complex passwords. While good in itself, because people today tend to use a multitude of passwords for an array of different things, the tendency is to try to simplify things as much as they can for themselves. This means either using simple passwords, or the same passwords for many different forms of access. In fact, many users today write down their passwords in spreadsheets, which are often saved across all devices. So, although the security policy of the business is strong, the actual passwords themselves are relatively easily obtained or cracked by criminals, due to the human nature of the users.
Clearly, then, the password is no longer enough to serve as an effective security barrier, which is unsurprising, since it is a security solution that was first implemented more than 50 years ago. It is certainly time for enterprises to move into the 21st century, by adopting a security solution that is more in tune with the times in which we live.
Such a solution needs to effectively do away with passwords and simplify things by recognising the real point of failure is the organisation's people. It should not only be conscious of how people generally behave, but also deliver a whole new paradigm in terms of high level security.
The ideal place to begin is by vetting and verifying the identification of each individual user (employee, contractor, partner), and then providing strong authentication that follows proven and standard compliance security measures with minimised user interaction and reduced user experience friction. The solution needs to simplify the user experience, while allowing state-of-the-art security measures that are flexible to adapt to changing requirements.
Once you have a vetted and verified digital identity with strong authentication, it becomes a simple matter of implementing business rules to govern everything from physical entry into the building, through to what each user is allowed to do with company data, and what applications and business functions they are allowed to access.
With verified digital identities for users, managing access and security becomes quite simple, and this encompasses the management not only of employees, but also vendors, suppliers, contractors and customers. Such an approach also ensures a complete audit trail, so if security is breached, it is a simple matter to trace how this occurred.
Most crucially, because it is digital, it enables the enterprise to automate the processes related to the protection of infrastructure, systems and data. And when it is fully automated, you are able to eliminate the inevitable failure point in a manual system, which is, of course, the behaviour of the people.
Much is made of how the new General Data Protection Regulation (GDPR) is going to significantly improve how data is protected, but however strong the law, companies will still fundamentally fail at complying to it, until they recognise their greatest weakness remains the individual, whose security lapses inevitably lead to breaches. And these, in turn, will continue occurring as long as we keep using manual user names and passwords.
In essence, the difference between using passwords and digital security solutions could be likened to having a door on your property that is breached by criminals. While the immediate response would be to put up a stronger door, true security will only be achieved by changing the behaviour of the people who left the initial one open in the first place. Taking this type of behaviour into consideration, iCrypto takes this one step further and closes the door behind you.