Attacking the gaps in traditional security
Our growing reliance on our connected lifestyle is evolved hand-in-hand with security threats and bad actors. As technologies increase their sophistication, so does the security threat landscape. And as new security solutions are developed and implemented, new hacking methods evolve and grow reducing the effectiveness of current solutions.
This cycle has been going on for years, in the physical and virtual worlds where we live and act.
Ultimately, IT decision makers and the security industry have been – and continue to be – in an arms race with bad actors and hackers. And they’re not necessarily winning. If they were, you wouldn’t hear about major breaches like Sony, Anthem, or Target. The fact that these breaches are still occurring means we haven’t solved it yet. The threat is real, and it remains.
That leads to the inevitable question – why? Why haven’t we won? Why haven’t we created an environment where enterprises can feel comfortable that their intellectual property and customer information is safe? Why do consumers still have to swap out their credit cards every few months due to the chance that information was compromised? Why do breach notifications show up in my mail on a monthly or even sometimes weekly basis? (Did you know one in three people who receive a breach notification are compromised?)
The fact is, companies have approached security the same way for too long. They identify a problem, find a vulnerability, or discover a breach, and then they patch the hole to keep it from happening again. Then they alert the parties impacted and try to do damage control.
But implementing point solutions only addresses the immediate problem; it doesn’t address the root cause and only adds complexity. The cost of addressing it this way is excessive and over time becomes a perplexing big ball of tangled solutions. This is exactly what is happening with multifactor authentication with today’s solutions and emerging companies.
Here’s the problem with the way companies today are embracing multifactor authentication:
A company’s existing single-factor authentication at a customer log-in is too easy to crack through social engineering, phishing, key loggers, man-in-the-middle, spear phishing, or the simple guessing of credentials and it gets breached. So, the company implements multifactor authentication solution(s) in place. This costs money and many hours to integrate into their current systems.
Then, they have to market this change to any and all affected parties – including internal and external audiences and customers. This marketing costs money and the increased complexity scares away some customers, costing the company revenue.
After the dust settles, a breach occurs – maybe at a different point in the network where vendors or consultants gain access. The company implements an additional solution – or expands a current multifactor authentication solution – at this breach point. Again, costing money and many hours to implement and integrate into their current systems…the cycle could potentially repeat itself an infinite number of times like a terrible game of cyber whack-a-mole.
So how should it go?
Companies need to move away from addressing a single problem with a point solution. The reality of this cycle is “time + desire = opportunity,” which will result in the prior weaknesses being exposed again. If you build on a poor foundation, it doesn’t matter what you do to repair and fix issues, the foundation will always be the issue.
Fundamentally, organizations need to step back and look at the whole picture, recognize that, until they address the ‘user’ and the current architectural flaws with today’s multi-factor and single sign-on solutions security solutions flaws, problems won’t stop. Companies need to focus on their infrastructure first, ensure that a strong authentication solution is embedded across the entire organization. Looking at architecture and infrastructure first puts them in a better position to grow and evolve with the security market. It also eliminates the need to patch holes as they open up.
In addition to thinking on a broader level across the entire enterprise, companies also have to think about the effectiveness of the authentication solutions they implement.
They need to think about whether the solution truly protects them from all bad actors. If it’s in-band, chances are that the solution still leaves them vulnerable (click HERE for a good introduction to the differences between in-band and out-of-band authentication). Then there’s the issue of ease of use. As we’ve discussed in previous posts, the more factors and steps that enterprises put in place for authentication, the more difficult and unnatural the process feels. This can impact adoption and lead to risky behavior by users.
By thinking of security at the infrastructure level and ensuring that authentication is ubiquitous across the enterprise, companies can get out of the cycle of finding and eliminating gaps in their security posture. And by implementing a solution that is out-of-band and easy to use, they can better protect the company and its customers by mitigating a wider variety of attacks and ensuring that the solution is used by all stakeholders – both within and outside of the organization.
Authomate’s StrongPass solution delivers authentication that is completely out-of-band, strong and easy to use. For additional information about Authomate’s authentication solutions, go to www.authomate.com. To try out StrongPass, click HERE.