Over halfway through 2018, what can we say about the state of cybersecurity? Unfortunately, the industry trends are already following an all too predictable pattern, particularly when it comes to the biggest security threat.
It’s a pattern we’ve seen repeated year after year: wholly preventable data breaches and cyber incidents caused by the continued use of a security mechanism that should have been scrapped years ago.
The first half of the year has shown us yet again that passwords remain the Achilles heel of corporate security — driving financial loss, tarnished brands and customer misery across the globe. With the GDPR now in full force, expect to see some fireworks before the year is out.
A global epidemic in data breaches
Last year was a year to remember for all the wrong reasons, highlighting just how far the breach epidemic has spread. But 2018 is doing its best to catch up.
Already we’ve seen major incidents announced by companies including nutrition app MyFitnessPal, which impacted 150 million customers, and Ticketmaster UK, which it claimed affected less than 5% of a global customer base in the hundreds of millions.
Similar breach incidents at third-party providers including recruitment platform PageUp and online survey company Typeform have hit a huge swathe of large corporations, from Fortnum & Mason to Premier Inn, Travelodge to Costa Coffee. Most recently, news aggregation site Reddit confirmed a large-scale breach after cybercriminals accessed employee accounts using passwords sent by SMS as part of the company’s two-factor authentication measures.
Most if not all of these breaches happened before the GDPR came into force at the end of May. That means those companies involved will not feel the wrath of the regulators. But this will not remain true for long.
As 2018 rolls on, we might well see our first GDPR-era breach. UK regulator the ICO has said in the past: “It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.”
However, it has not ruled out these fines, which could reach 4% of global annual turnover, or £17m. They are there for a reason. If organisations are found to have neglected industry best practice in cybersecurity they may well be punished.
The problem with passwords, the biggest security threat
The GDPR mandates “a high level of protection of personal data” and that controls are put in place “to prevent abuse or unlawful access or transfer” of this data. In this context, it’s clear that static passwords are no longer fit-for-purpose.
In a corporate scenario they offer attackers a golden ticket — an opportunity to walk unopposed through your cyber front door en route to highly sensitive customer data and IP.
It’s not just data at stake here. By compromising those all-important passwords, hackers could launch “cyber-physical” attacks targeting a nation’s critical infrastructure. The precedent has been set here: in December 2015 and 2016 hundreds of thousands of Ukrainians went without power after sophisticated attacks on energy providers in the country.
The State of Technology This Week
An even newer threat is crypto-mining malware, which could be covertly installed on corporate infrastructure to generate digital revenue for hackers. Even hi-tech organisations like Tesla have been hit in this way. The impact could range from high corporate energy bills to IT downtime and productivity losses.
As we go through 2018, if organisations continue to rely on passwords to secure sensitive accounts they will continue to suffer. These static credentials are simply too easy to steal or brute force with automated tools. Users make the job of IT security teams even harder by relying on easy-to-remember passwords — which are also easier to guess by third parties — or else share log-ins across multiple consumer and corporate accounts.
It just takes one account to be breached and the whole pack of cards comes tumbling down.
Looking under the hood of the organisation
Businesses have been warned time and time again that passwords are no longer enough to fend off cybercriminals. Verizon’s 2017 Data Breach Report found that 81% of hacking related breaches are via the exploitation of stolen or weak passwords.
Yet, as has worryingly become commonplace today, many are still relying on this outdated and insecure method of authentication. Consumers aren’t the only guilty party; it’s organisations too.
Research recently conducted by Intercede found that 86% of systems administrators within major enterprises – those people that hold the keys to an organisation’s kingdom – are using basic password authentication to protect data. What’s more, 17% of respondents admitted using ‘simple passwords.’
If individuals responsible for managing ‘access all areas’ within a business’ IT infrastructure can’t be trusted to lead by example and secure their own accounts, then how can an organisation’s employees be expected to do the same? Moreover, how can consumers trust these businesses to keep their personal data safe?
A better way forward for cybersecurity
So as we head into the second half of the year, let’s be clear: it’s time for organisations to recognise the risk to their brand, reputation and bottom line represented by passwords. Interestingly, many businesses do seem to realise they are not properly securing their systems by relying on passwords. Half of respondents in our research felt that user accounts within their businesses were ‘not very secure.’
Today, best practice comes in the form of multi-factor authentication (MFA) technologies which remove the static, easily stolen password from the equation altogether. As a method of confirming a user’s identity, it requires multiple elements, or ‘factors.’
These may include ‘knowledge’ (something a user knows, e.g. a PIN), ‘possession’ (something a user has, such as a smartphone or token) and ‘inherence’ (something you are, e.g. a fingerprint or facial match). Each of these elements must be independent of one another. For example, if you’re logging into your online banking app you may use your iPhone and your fingerprint to gain access.
MFA allows businesses to verify that the person accessing the service is who they say they are. At present, too few businesses have taken appropriate action to implement authentication technologies that incorporate these three distinct elements. According to our research, only 6% of businesses use virtual smart cards and PINs as an additional means of authentication on-site, and only 2% use facial recognition.
The right security methods are out there; they are more robust, cost-effective and easy to implement. In the age of the hack, it’s vital to ensure you invest in security that’s not only enterprise-grade but also convenient and with zero friction to the end user — tools that work seamlessly across today’s cloud and mobile-centric IT infrastructure. With the right solutions in place you’ll be able to create the one thing passwords now fail so epically to deliver: digital trust.
Invest in such systems now for your organisation and mandate them for suppliers. Anything less and 2018 might be a year to remember, for all the wrong reasons.