Passwords are not enough

Not only are they easy to compromise, but because users have so many passwords to remember in today’s technology-driven society, they’re more apt to record them – either in a file on their PC or on paper in an office, home or notebook – or use the same simple password over and over again. Take, for example, the recent LinkedIn security breach. An analysis of passwords hacked in that breach found that users were relying heavily on simple passwords – with ‘link,’ ‘1234’ and ‘work’ reportedly topping the list.

Although regulatory requirements have made strong authentication policies mandatory in many industries, it’s not something that’s regulated across the board in Canada, so it’s up to individual businesses to take action to protect their networks and data from human error. As online threats become more prevalent, intricate and targeted, businesses need to have a plan in place to protect stakeholders from identity theft and fraud – one that’s both easy to use and strong enough to protect against today’s sophisticated attacks.

Most of today’s security breaches include some sort of unauthorized access resulting from poor identity and access management and authentication systems, highlighting the need for more robust identity and access management and authentication practices. This is even more imperative as applications move to the cloud – whether public, private or hybrid – allowing users to log-in to stored data using a password without simultaneously assessing the risk of online access attempts and transactions. This can leave too much at risk when you consider that information may or may not be stored locally, making control of a breach more complicated.

Any kind of transaction between a user and a computing device, including a PC or a smartphone, opens the gate to a security breach. While this could come from within an organization, it could also come from an external source – particularly if the business requires customers to be able to access information on the corporate network. This could range from an online customer tool, a database that customers have password protected access to, or an online shopping site.

Without active controls and monitoring, the network is left exposed and businesses lose the opportunity to act on a potential issue in advance. Instead they find themselves reacting to a breach, which can cost time, money and brand goodwill. When you look at the potential cost of organizational data breach (which some have estimated at over $5 million) it’s clear that it’s much more cost effective to have strong identity and authentication policies in place.

The challenge then becomes finding a way to increase security to protect data without escalating support costs or burdening users. No one wants an authentication system that requires repetitive user interaction because it impacts both the adoption of online services, and customer loyalty. So what’s the best way to detect and block fraudulent activity before fraud losses occur, without affecting or distracting legitimate users?

---

Integrating a transparent layer of protection against identity theft, data breaches and fraud can help an organization measure and block fraud in real-time, without burdening the user. Solutions that integrate with web-facing applications, like a VPN or web portal, can analyze the risk of online access attempts and transactions by examining a wide range of contextual data, scoring it based on preset rules, comparing it to historical data and conducting statistical analysis to calculate an overall risk score. The score is then used to either approve or decline the activity, ask for additional authentication, or alert a customer service representative, depending on the transaction and calculated risk score. The best solutions are flexible, meaning that IT managers can easily adjust existing rules and quickly add new ones to adapt to the evolving threat landscape. Additional solutions can be layered on in order to integrate verification steps.

For example, Facebook’s optional ‘Login Notifications’ give users a chance to keep tabs on where their accounts are being accessed in order to actively manage any sort of suspicious activity. If ‘Login Notifications’ are enabled, Facebook auto-alerts the user each time their account is accessed from a new device. If the user were to ever receive a ‘Login Notification’ from an unfamiliar device or location, Facebook provides instructions to reset the password and secure the account. There’s also an option for ‘Login Approvals’ – which would require the user to enter a security code each time an unrecognized computer or device tries to access the account. While these are both optional features, they provide users with the flexibility to increase security to a level that they feel most comfortable with, and to actively monitor their account for security breaches rather than fall victim to unauthorized access.

The benefits of integrating this type of added security layer are well–documented. Not only are risks of unauthorized access, data breaches and identity theft reduced, but so is fraud, providing an opportunity to block high-risk transactions or require step-up authentication for suspicious activities. Risk-based authentication measures can also help organizations meet ever-changing regulatory requirements. But best of all, it’s transparent – meaning that the risk evaluation process doesn’t have to effect the user experience in most cases.

The biggest mistake a business can make when it comes to security is to assume that their business is safe. No matter what the size of your organization is, security matters. It’s much more cost effective to take steps to prevent a potential breach than to be caught picking up the pieces after the fact.

Tarun Khandelwal is a senior solution strategist for security solutions with CA Technologies in Canada.