|Issue:||North America I 2015|
|Topic:||Defining a workable corporate security strategy in the age of the data breach|
Fraser has worked in systems development and software sales for almost 40 years on four continents, including 17 years in the United States as Head of Retail Banking Systems at both Continental Bank in Chicago and Key Bank in Cleveland. In the UK he was Head of Technology at Smile, the Co-operative Bank’s Internet bank, as well as Head of Technology Strategy at the Co-operative Bank. Fraser has been with Swivel Secure since its formation in 2001 when he joined as Chief Operating Officer, and became Director of Business Development in 2007.
He holds a Mathematics degree from the University of the West of England, and an MBA from Case Western Reserve University in Cleveland, Ohio.
Independent research commissioned by Swivel Secure Inc., last year, revealed that 44.2 per cent of Americans log-in to their corporate systems remotely using a UNP, with one in five also reusing the same password across multiple personal and corporate log-in gateways. This plague of reuse has big implications. In some cases, it may only take one employee’s personal login details to be hacked for an entire corporate network to be compromised, together with all of the sensitive data held within.
Data breaches have now become the norm rather than the exception and the levels of sophistication of the attacks are constantly evolving. The Ponemon Institute, USA revealed that the average cost of a company data breach in 2014 was US$3.5million, a rise of 15% compared to 2013’s study.
From these figures it’s fair to say that many enterprises, including Target Corp, Anthem Health, Ebay, Sony and LinkedIn, have found the task of implementing an effective IT security strategy impossible.
Those ‘in charge’ of IT security are now working in the most testing of times. Many have to contend with a personal device-wielding, convenience-loving workforce and opportunistic boss’s hell bent on driving ever greater operational efficiency. These pressures are all too often overshadowing the fundamental principles of enterprise IT security and organizations are paying a heavy price as a result.
Top three IT security failings
1 – Passwords – usernames and passwords (UNPs) remain the most common form of authentication for the vast majority of business and consumer applications. Despite their ubiquity, passwords are vulnerable to a whole range of attacks and their widespread re-use across multiple accounts, only serves to amplify this vulnerability by increasing the ‘attack vectors’ for each. Independent research commissioned by Swivel Secure Inc., last year, revealed that 44.2 per cent of Americans log-in to their corporate systems remotely using a UNP, with one in five also reusing the same password across multiple personal and corporate log-in gateways. This plague of reuse has big implications. In some cases, it may only take one employee’s personal login details to be hacked for an entire corporate network to be compromised, together with all of the sensitive data held within.
Yet, whenever a breach occurs, the advice from the top is to simply ‘change your password’ and all will be well. End users are also consistently advised by service providers to devise new and unique, ‘strong’ alpha-numeric passwords for each and every application that requires a log-in. In reality, the construction of these ‘5tr0nG pa55w0rd5,’ achieves very little; given the sheer number of passwords an end-user is required to remember, the same UNP inevitably finds its way into the authentication gateways of multiple applications. Such practices play squarely into the hands of cybercriminals, as they exploit this popular behavior through phishing and key-logging attacks, in the hope of finding a way into corporate systems undetected, by using a stolen password.
2 – The pursuit of convenience
Convenience is something that all consumers have quickly come to expect from their digital services, thanks to the range of user-friendly and feature rich devices and applications now available. Indeed a convenient user experience is something that employees are now demanding from their workplace, so much so that many businesses now fear a backlash should they interfere with the status quo in a bid to improve security.
In the online consumer world, a relentless and questionable bid to make things even more convenient for consumers is well underway. UNP-based ‘single sign-on’ facilities enable users to log-in to an application that can then automatically open the door to a host of others. Checking the ‘remember me’ box at the login stage removes the requirement to re-enter their UNP details upon their next visit, leaving the door open. This practice is starting to filter into the corporate world, and again highlights how the obsession with convenience is overshadowing the need to ensure that sensitive personal and commercial data doesn’t fall into the wrong hands.
Even for large-scale corporate cloud installations, the added ‘friction’ of stronger security at the login stage has been seen as a step too far; an annoyance to convenience-loving employees who see it only as an extra ‘hassle’ when trying to access information. It is unnerving to consider how many consumer cloud applications, like Dropbox, are already sitting on employee desktops and being used to store and exchange sensitive information, without the knowledge of those in charge of network security. In short, convenience has created a multitude of weaknesses in the security chain.
3 – The BYOD phenomenon – the convenience trend has also been driven by the ‘bring your own device’ (BYOD) phenomenon. BYOD, where an employee uses their own device in the workplace, has taken security out of the control of the CSOs, who have allowed (or been compelled to tolerate) ‘unknown’ devices accessing the network, often without enterprise level security in place. BYOD has also resulted in the security department re-engineering its security policies. Increasingly we are seeing CSOs who have been forced to curtail their security policies in reaction to a CEO’s demand to read email on a tablet, instead of developing a holistic policy for the entire infrastructure and applying it to the network’s various access links (such as remote VPN, cloud, mobile device or desktop). Inevitably, this leaves hackers with more weak points to exploit.
A workable security policy
Few can claim that their business was more productive before the digital age. Cloud computing, the Internet, BYOD have all delivered innumerable benefits for organizations. But it’s time to accept that cyber attacks are a real and significant threat, and that modern technology presents as many security challenges as it does business opportunities. We must all face the facts that by integrating these technologies into the workplace, without adequate security measures – i.e. continuing to rely on UNPs or allowing ‘frictionless’ and convenient access methods – we are a part of the data breach problem, not part of the solution.
What is needed is a workable security policy that fits with the organization in question, moving away from standalone security strategy to an IT strategy which has security as a business critical component.
The crucial first step in establishing this type of strategy is educating employees on the IT security threats. This means everyone from the shop floor to the boardroom. Those in charge of IT security must draw a hard line and employees themselves must accept that if users want the freedoms and benefits of working from home, or accessing their emails remotely on their own device, their access will be predicated by some degree of secure authentication.
A positive approach for those in charge of corporate security is to take a holistic view of their entire business, assess what is ‘business-critical’ and customer sensitive and then define a strict policy document that must be adhered to at all levels. Mapping out the security risks of the company in this way will enable organizations to assign access control parameters that work best for their individual business structure, keeping the gateways to certain information accessible only to those with the right permissions.
Fortunately, this can be achieved through a standalone authentication platform which redirects users back to the corporate domain so that their credentials can be validated using a corporate authentication solution, before access is granted. But, this extra level of authentication should not be viewed as the ‘enemy’ of the user experience. On the contrary, new adaptive authentication solutions can help to apply exactly the right level of visible security as is appropriate to the access being requested. By prompting a user with strong or two-factor authentication when accessing confidential files from a remote location, for example, it will serve to remind them of the security risks associated with whatever it is they are doing.
Applying this appropriate level of ‘friction’ to the authentication process will ensure that a user is conscious that they’re moving from an open to a secure environment, and must proceed in accordance with the enterprise security policies that have been defined for that particular environment.
As attacks continue to get more sophisticated and the value of data increases, strengthening your own defences and locking down the gateways to the corporate network is both achievable and manageable. With adaptive authentication, enterprises can define workable parameters for different employees, access requests and services within the same installation and under the same license, applying exactly the right level of authentication to any given scenario. Only then will corporate networks really begin to defend themselves appropriately in this hostile digital age.