Ease of use and poor cyber hygiene impacting enterprise security
According to Verizon’s 2015 Data Breach Investigations Report (DBIR), there were 79,790 security incidents, 2,122 confirmed data breaches across 61 countries in 2014. And these security incidents can be extremely expensive for the companies they impact. According to the Ponemon Institute’s 2014 Cost of Data Breach study, “The average cost to a company was $3.5 million in US dollars and 15 percent more than what it cost last year.”
We recently had the opportunity to sit down with security expert and CEO of SAVANTURE, Doug Howard, to discuss the current security landscape. SAVANTURE is a SaaS and Managed Security Services Provider (MSSP) launched in 2013 with over 350 clients being serviced today. Prior to SAVANTURE, Doug worked at CSC, USAF, VBrick, and held senior security positions in cybersecurity, including VP of Security and Business Continuity at AT&T, CSO at SilverSky (now BAE), and COO of Counterpane (now BT).
During our discussion, Doug share his feelings on the largest threats facing enterprises today, different security vulnerabilities and the reasons why gaps exist in today’s security solutions. Here is what Doug had to say:
Access Granted: What are some of the largest security challenges facing enterprises and consumers today?
Doug Howard: One of the most critical challenges facing enterprises is the integrity of a transaction and the ability to have confidence that data can be protected on both ends of the transaction – before, during and after. This is true across all industries and markets – including B2B, B2C, and C2C.
Protecting transaction data relies heavily on secure access through authentication. Escalation of privilege attacks don’t work if systems have multifactor authentication. In fact – if you asked most security experts – they would agree that multifactor authentication is a high-value addition, if not the most effective tool they could add in defense of their networks.
Despite that, few companies incorporate effective multifactor authentication solutions.
Access Granted: We often hear that many cyber attacks are a result from a lack of education and good cyber hygiene. What role does poor cyber hygiene really play in cyber-attacks and breaches?
Doug Howard: There is no doubt that human error contributes heavily to many problems within security. Unfortunately, there are a few unavoidable realities when it comes to users and cyber hygiene:
1) Almost everyone has received a breach notification from some provider – either a retailer, credit card company, or financial services company. This means their personally identifiable information and – potentially – their user ID and password are now in the hands of a bad guy.
2) Almost everyone uses the same – or same series of – user names and passwords for many accounts, systems or profiles. User names are often a combination of email address or initials and last name, plus the numbers “1” or “11” or their year of birth. Passwords can vary, but the average user only has about 3 passwords across all of their accounts – and that variation is usually due to a forced change or difference in password standards between sites.
When individuals reuse login credentials, they are putting all their accounts in the trust of the company with the weakest security protocols. Even if you feel good about your bank, you may not feel so good about the local retail shop whose loyalty club you just joined, or who you just made an online purchase from.
3) Most users think about Personal Identifiable Information (PII) or PCI with credit cards, but the problem is much broader when you consider the impact of someone knowing your username and password. It opens up your entire online life and history.
And let’s not forget about passerby malware and viruses that can capture your keystrokes.
If the weakest link is breached –or malware captures a password – and the user’s credentials are the same across all of their accounts, now every account is compromised.
Access Granted: How can strong authentication help alleviate attacks? What are enterprises REALLY looking to achieve with secure authentication?
Doug Howard: Strong, multifactor authentication can eliminate the issues created by poor cyber hygiene, but it creates another problem.
Strong authentication that makes simple tasks harder or more convoluted ultimately drives users to do things that put sensitive company data at risk. Meaning, they start putting data in easier to access places (i.e. unmanaged corporate services), or transferring it around unprotected, or many other scenarios where the data becomes less protected than it was before the implementation of the difficult-to-use multifactor authentication solution.
Simplification of user authentication is necessary as to eliminate many of the problems that drive users to do bad things. Also, companies need to tie this authentication to something out-of-band, as to avoid compromised machines and the reuse of static IDs and passwords.
As such, strong authentication with password management, is an elegant approach
Access Granted: What security gaps exist with current authentication and security solutions on the market today?
Doug Howard: It ultimately comes down to adoption. Strong security solutions are useless if they’re not used. When ease of use is accomplished, the adoption is high. When the adoption is high on something that fundamentally improves – not just the user experience but the end-to-end security and integrity of transactions and data – you have a winner.
Access Granted: You recently joined the advisory board of Authomate. What led to you joining the company in this capacity? What has you excited about their solution?
Doug Howard: Authomate provides an elegant, easy to use solution that significantly closes the gaps in a cost effective manner for user authentication. Their solution is secure, it’s completely out-of-band and it closes the gap on communicating the critical element of, “what the bad guy doesn’t have.”
Ultimately, I’ve seen exceptionally good teams fumble with a bad idea over and over. But if you have an “A” team with a great idea and a real market need, you have the necessary ingredients for creating a great company. Authomate has that magical combination.
For additional information about Authomate’s strong authentication solutions that are also easy-to-use, go to www.authomate.com. To try out Authomate’s StrongPass solution – which combines strong security with a simple user experience – click HERE.