It’s already mid-January and Google has been filled with references to web pages ranking what is supposedly the best to come in 2021 for a multitude of things. Spoiler alert: this blog isn’t about the 2021 best electric SUVs on the market. First, what do I know about SUVs? Second, I live in Houston, the world capital of oil refinery, and if I want to keep on being invited to my city’s high society social gatherings, I better not promote e-cars in any shape or form.
This blog post is all about a topic that brings people together, especially cybersecurity folks. I am inviting you to discover what the top-5 security priorities are for all corporations that want to eliminate risks due to identity compromises.
Priority #1: Secure your remote workforce, because working from anywhere isn't going away any time soon.
The new COVID-19 variant is spreading around the world at a speed no virologist could have expected. Most western countries are back to strict restrictions, some of them even going to the extent of imposing tight or tighter curfews to their population. So, what it clearly infers is that employees will continue to work from home. And although a vaccination campaign has recently started, a “back to pre-Covid normal” going back to the office will not happen until, at least the end of 2021.
Ironically, studies have concluded that remote employees are more productive. It makes a lot of sense: no commute, increased availability, no more chitchatting around the water cooler to debrief the Brown’s stunner in Pittsburgh. It stands to reason that, in terms of cyber security, there is the need to tighten the security pertaining to employees working from home and, consequently, accessing company data from offsite locations.
Are you sure your employees are taking all known and necessary precautions to log into your company’s systems? If your employees at any time need to enter a username and a password for VPN and/or virtual desktop authentication, then your organization is at risk of a cyber-attack.
Priority #2: Eliminate passwords and solutions that leverage them once for all.
Eighty-one percent of data breaches are caused by poor password management. And yet, passwords represent the authentication mechanism of choice for just about anything needed to conduct business.
A password is highly insecure for four main reasons:
(1) Weak knowledge factor, since with 2FA and MFA solutions, the first authentication factor (the password) is a knowledge factor. And the latter is highly precarious in terms of security, simply because a password is based on information that someone else may know, guess, or infer.
(2) User mindlessness: Here is a harsh fact. Most users cannot be trusted with password management. They either create simple passwords, which are way too easy to guess, or they write them down for everyone (co-workers, family) to see, even if they don’t share them.
(3) Password-cracking software: Go online and for about $40, you can buy an entry-level password-cracking solution. For a bit more money on the Dark Web, you can purchase a solution that can leverage cheap processor power to cycle through thousands of hash permutations and open an account in minutes through brute-force efforts.
(4) Centralized password repositories: An overwhelming majority of businesses store user data unencrypted in centralized systems that offer a single point of failure. A cybercriminal only needs to compromise the credentials of an employee who has access to the centralized password repository. And given the level of passwords mismanagement, little efforts are often required.
Priority #3: Focus on identity proofing for flawless authentication.
There is a material difference between ID proofing solutions and passwordless authentication applications. The reason lies in the total absence of synergies between both.
A great majority of passwordless authentication applications do not prove the identity of a user that leverages their technology to authenticate and access apps online. Consequently, it is impossible for a business to know for a fact who accesses their systems or with whom they transact. Cyber criminals systematically utilize this flaw. For example, synthetic identity fraud accounts for 80 percent of all credit card fraud losses.
Focusing on identity proofing is essential to help businesses protect themselves as well as their users from all manner of security threats inherent to identity compromises. No business should leverage a passwordless authentication solution that doesn’t verify a user identity indisputably; in other words, any solution that doesn’t reach the highest level of identification assurance per the NIST 800-63-3 guidelines, or IAL3 is simply not a sustainable alternative.
Priority #4: Decentralize identity and user data storage.
Here is a reality: Decentralized identity is the future of identity. So why not getting ahead of the game.
Decentralized identity allows users to remain in control over their privacy and decide how and what identity-related data they want to share when going through an identification or an authentication process. Passwordless authentication solutions that leverage the decentralized identity model allow users to share with consent only the information required to authenticate, so they can access a system or an application.
Moreover, the data that pertains to a user identity is stored encrypted in the blockchain. Blockchain technology actually offers unique characteristics that solve problems of trust and make it a great fit for identity solutions, because blockchain is immutable (once a data is written, it cannot be altered in any way), decentralized (no central authority controls the data, so there is no single point of failure or someone who can override a transaction) and the data is stored encrypted.
Priority #5: Don’t fear change. Be bold.
Have you ever noticed that once a company has been hacked, then it tends to get hacked again? For example, between June 2013 and December 2019, Facebook has experienced eight major data breaches compromising a total of 1.6 billion accounts. You’d think that after the first or at the latest after the second breach that Facebook would get its act together and implement sustainable cyber security policies...
To my knowledge, there is one solution on the market that combines identity proofing and passwordless authentication and that reaches the highest levels of identification and authentication assurance per the NIST 800-63-3 guidelines. That means the elimination of identity compromises for your company’s workforce and your customers. It infers bulletproof remote access to all those systems (critical and others) and apps your employees need to conduct business, elimination of fraud when transacting with your customers online, enhanced brand reputation, improved customer loyalty and, ultimately, increased bottom-line.
Get ahead of the curve and make the change that is required!