One of the Most Poorly Implemented Security Practices
What is one of the most poorly implemented security practices? “The practices where methods of protection are implemented that never change and where there is unlimited time to figure them out.” Yes, I am talking about IDs and Passwords.
If you think about it, this is where nearly all web services and applications sit that rely on static IDs and Passwords that rarely if ever change. It is no wonder that 67% of all breaches result from weak or stolen credentials.
It is a sad day indeed when Facebook has more login security protection than most of the top Cloud Service Providers, Healthcare Service Portals, Electronic Medical Record Services and HR Data Services.
A security team at a financial services company recently told us that they must now operate with the knowledge that nearly all their customer credentials are known to the hacking community (due to the massive data breaches and 61% end user credential reuse).
In reality, most of the security teams I talk to acknowledge that access/login security with static IDs and Passwords is no longer enough security. If this is true, then it’s time to work through any objection(s) you might have that would cause you to ignore this staggering hole in your security posture.
This list below comprises the most common objections we hear that cause companies to ignore this severe security hole:
The solutions are expensive.
The solutions are complicated, hard to integrate and even more difficult to keep running effectively.
The solutions interrupt the end user experience.
We will wait for our customers/users to ask for it.
There is no regulatory mandate making us add additional protection.
We already have a solution.
Let’s take these one at a time:
Expensive: This used to be true, but it’s not any more.
Complexity: This used to be true, but it’s not any more.
End User Experience Interruption: Unless you look at Adaptive Multi-Factor solutions (which are all really expensive), this is totally true. Please don’t pay for a solution that does not include an adaptive layer of capability. Without an adaptive solution, you can never fully protect your customer facing services. The best you can do is an opt-in play, and then almost no one will use it. You end up paying to integrate a solution and pay for licenses only to have virtually no one turn it on because it’s too intrusive. In short, this is no longer an issue.
We will wait for our customers to ask: This is poor plan primarily due to the fact that in most end user’s minds, additional security is synonymous with extra steps and interruptions during login. Because this is their historical view and connotation, customers will rarely ask for anything that makes their life more difficult. Fortunately adaptive multi-factor solutions are not a pain and don’t add additional steps. Therefore, this mode of thinking (to wait for customers to ask), is a poor plan. In reality, if you consider that nearly all your customer accounts are likely compromised, adding adaptive multi-factor security to your services should be set on the same plain of planning as adding SSL and salting passwords. Adaptive MFA should be a given!!
Wait for regulatory mandates: On this, companies should note the following: “The standard of care the FTC has most recently articulated requires businesses to take “reasonable and necessary measures” to protect consumer data.” Given that 67% of breaches result from weak or stolen credentials and that billions of credentials are available to the hacking community, can you honestly ignore this gaping hole in your security? With this knowledge and understanding, can you claim in a court of law that you took “reasonable and necessary” measures to protect your client and customer data?
We already have a solution: My first comment is “Terrific!” My second comment is you are most likely paying way – way - way too much money for your current solution; like 50%, 75% or even 80% more than you need to pay. It should be time to review your options again.
In closing, be aware that the FTC now has the legal authority to sue a company when consumer data is compromised as a result of a breach where the FTC determines “unfair” or “deceptive” business practices where companies inadequately invest in cyber security and thereby expose customers to substantial financial injury while retaining the profits of their business. Don’t be found in this category.
aPersona is an adaptive multi-factor authentication platform that is cost effective, intelligent, simple to setup, simple to operate and provides rich risk analytics data and reporting for all your regulatory and audit requirements.