Cybercrime is big news with those behind it often painted as geniuses carrying out complex and difficult tasks from their terminals in ill-lit rooms.But in real life, hacking is much more mundane – more akin to the burglar who walks down a street looking for houses where the door or window that has been left unlocked. It’s not particularly clever, and relies mainly on victims being careless.
It’s a similar picture with companies and their data security. Research into data breaches consistently shows that most crimes could have been easily averted by the application of simple security measures – the equivalent of locking the front door, and remembering to set the alarm.
Companies may spend huge amounts on gathering and storing valuable information but they often fail to ensure that the most basic of housekeeping tasks have taken place – such as keeping antivirus software up to date, or applying the latest security patches to their applications.
More shocking than that, however, is the number of organisations that fail to check properly that the right people are using their systems. According to research carried out by IBM during 2015, the leading cause of security incidents among its clients was unauthorised access to systems.
IBM’s “2016 Cyber Security Intelligence Index” is based on data collected between 1 January 2015 and 31 December 2015 from more than 8,000 client devices in over 100 countries. The figures show that unauthorised access accounted for 45% of the incidents, while the next second highest cause, malicious code, accounted for 29%.
So what does this mean? Well, the good news is that if you get a good grip on user authentication properly, you may be able to cut your risk by 45%.
However, for many organisations, user credentials still consist of just a username and password. Companies may try to improve on the model by insisting users choose complex passwords, or get them to change their password every so often. They may even go the extra mile and issue them with special security tokens that generate a one-time code when they log on.
But all these solutions have their flaws. People can’t remember complex passwords, and so write them down, or constantly call a helpdesk to get a password reset.. Constantly changing passwords makes the problem even worse.
Security tokens work well, but they are expensive to supply and to administer, and they force the user to carry an extra bit of kit which inevitably gets lost or left in another item of clothing at home – resulting in more frantic calls to the helpdesk.
The trouble with all those solutions is that they emerged last century before the arrival of the one device that defines the early part of the 21st century – the smart phone. Everyone has a mobile phone these days and they tend to use it for all aspects of their lives – portable library, contacts list, newspaper, photo album, gossip platform. Sometimes they’ll even use it to make phone calls.
So why not also turn the phone into a security token for secure authentication? Instead of relying totally on passwords, or adding a new token, why not just send one-time passcode via a text message to the user’s phone which they are carrying anyway?
That is exactly what SecurEnvoy has done with its Tokenless® technology. In this model, the user logs on with username and password, as before, and then receives a one-time passcode on their phone which they then enter to authenticate themselves.
The security model works by combining two factors – something the user knows (the password), plus something they have (the phone). A hacker may be able to steal a password, but without the phone in his hand to see the one-time passcode, he will be unable to gain unauthorised access.
It is a simple solution that doesn’t have to have any special software on the phone and no central administration. An app can be downloaded for convenience and the future allows NFC authentication to be used, another patented first from Securenvoy.
The SecurEnvoy system works off the back of the company’s user directory, and can therefore be installed within a matter of hours with little configuration to other applications. Best of all, it is simple to use and therefore much more likely to be adopted by users.
So looking back at the big picture to emerge from the IBM figures, fixing the problem of unauthorized access can reduce your security risk by 45%. And using the mobile phone is the simple and effective to do it.
Category: Industry News