Why the password should never be the last word in data security
The recent cyber-attack on Deloitte was yet another example of the lax security measures being deployed by some of the world’s biggest corporations. Deloitte isn’t alone; Equifax as well as the likes of Tesco Bank, Wonga, LinkedIn, and Yahoo have all fallen victim to cyberattacks in recent years. But it’s not just a breach that these companies have in common; they all gather and store vast amounts of consumer and client information. Hacks targeting these organisations – plus many more – are diminishing the trust consumers place in those who hold the keys to their financial and sensitive data. More robust security measures must be deployed across all industries, and with the GDPR coming into force next year they must be deployed now, writes Richard Parris, the chief executive of Intercede.
September saw a string of high-profile cyber-attacks; Instagram, Whole Foods, Equifax and Deloitte. We’ve heard the warnings time and time again and the Deloitte breach once more draws much needed attention to the failure of username/password authentication to adequately safeguard IT systems and databases. According to reports, hackers were able to access Deloitte’s email server through an administrator’s account which was only secured with a single password and did not use multi-factor authentication. This is a rather discomforting fact given the firm advises some of the world’s largest companies on cybersecurity among other things. How many more attacks of this nature are we going to see before a more proactive approach is taken to cybersecurity?
A range of advanced security technologies which far exceed the outdated password are straightforward to implement and are available now. Yet Deloitte is not unique in shirking its responsibility to ensure the safety of consumer and client data. Intercede recently conducted research which revealed that a huge 86% of respondents – system administrators, those that hold the keys to ‘access all areas’– rely on username and password authentication when accessing their main business account on-site. Seventeen per cent fail to even use complex passwords – something we as consumers are warned about all the time. With a staggering 81% of hacks in the past year leveraging stolen and/or weak passwords, the current widespread approach to security does not go far enough.
We’re starting to see stronger methods like biometric technology being introduced as a securing measure for a range of business and consumer applications. This is certainly a promising step towards eradicating password authentication, but it’s important to remember that not all biometric authentication is entirely secure, and using it in isolation simply won’t cut it. Instead, adequate security must incorporate three distinct elements: possession (something you have, such as a smartphone), knowledge (something you know, such as a PIN), and inherence (something intrinsic to you). Even then, these sophisticated alternatives to the password are only in use by a woefully small number of organisations and individuals. Our research found that only 6% use virtual smart cards and PINS, and only 2% biometrics, as methods for on-site authentication.
Many businesses mistakenly take an ‘it won’t happen to me’ attitude, yet with reports that UK firms were, on average, subjected to almost 65,000 cyber-attacks each in the space of just three months, assuming this negligent stance could cost a business dearly. As of May next year, this will certainly be in the case when the GDPR is enforced, demanding tougher data security practices. This, in combination with the highly publicised damage hacks have caused to both profit and reputation, should fuel firms to act now. Organisations must implement stronger, multi-factor authentication which incorporates possession, knowledge and inherence, to maintain consumer and client trust, secure data, and future-proof their business.