News broke recently that one of the UK’s most popular mobile network operators, Three, suffered a major data breach, putting the personal information of six million customers at risk. Hackers successfully accessed the company’s customer upgrade database, getting their hands on customers’ names, phone numbers, addresses and dates of birth. Given the severity of the breach, and what the hackers gained, the most worrying factor about this breach is the ease with which attackers gained access to Three’s databases — through an employee’s login details.
The issue with an attacker using a legitimate employee’s login is that you’re unlikely to spot any wrongdoing until it’s too late — your systems aren’t going to flag something that they recognise as ‘normal’. It’s a bit like asking technology to determine whether the owner of a house is the one who’s unlocking the door by only analysing the key that they’re using, and not taking into account any analysis of the person themselves. So, given that unauthorised access can be difficult to spot in the first place and that the consequences can be severe, one would think that organisations would prioritise doing something about improving access management.
However, this is the umpteenth time a major company has suffered because employee’s username and password have fallen into the wrong hands. eBay, Sony, Sage and other large corporations have suffered similar fates recently, and it seems that most organisations are waiting for a major breach of their own before doing anything to improve their security — which is a very risky way to run a business.
The death of the password
But what can companies do? Many experts have long touted the ‘death of the password’ as a form of authentication, calling for the uptake biometrics, thereby replacing what you remember with something that’s un-detachably yours to own — i.e. your fingerprint. IS Decisions research, however, found that only 23 per cent of UK IT professionals believe biometrics is the safest form of authentication — not to mention, the technology can be incredibly expensive and disruptive to roll out.
Multi-factor authentication is another argument to improve genuine access. Since multi-factor authentication works on the premise of adding security layers — for example combining passwords with security tokens — the more of these layers you have, the better protected you’re going to be.
However, multi-factor authentication comes with a compromise; the more layers you have, the more unproductive your staff are going to be because they’ll need to jump through more security hoops. Further IS Decisions research found that UK employees lose 15.27 minutes every week because of complex IT security procedures, which equates to 127 days per year lost productivity for a firm of 250 employees, or 15.3 days per year for those companies with 30 employees.
Context-aware security — a viable alternative to MFA and biometrics
Many organisations are therefore starting to turn to context-aware security to authorise users’ login access. This form of security comes with all the benefits of MFA and biometrics but without the drawbacks. Crucially, it could’ve prevented Three’s data breach and all the embarrassing news coverage the company has since received.
Context-aware security uses supplemental information to decide whether access is genuine or not when someone attempts to connect. This supplemental information includes what device the user is logging in on, what geographical location they’re logging in from, what the time of day is, and many other factors that build up a profile of the person logging in.
Going back to the unlocking-the-door analogy, this kind of security not only analyses the key that the person is using but also the surrounding context to determine if the person is who they say they are. Administrators can then set rules based on this supplemental information to automatically grant or deny access. For example, admins can set rules restricting an individual’s network access to certain workstations located in particular departments on office premises. Or admins could set up rules restricting access to certain connection types (IIS, Wi-Fi, VPN) so employees can continue to work on the go, or even restrict access to certain times of day, location or by a maximum number of concurrent sessions.
Restricting access in this way means that even if a cybercriminal gets their hands on an employee’s password, they still won’t be able to get access so data remains safe. Any attempt to access systems outside of these rules can also send a notification immediately to users to change their password, and to administrators who can investigate and modify access rules with a single click.
Complementing existing solutions
Crucially, this form of transparent access security doesn’t impede the end user like multi-factor authentication does, and is more cost-effective and less disruptive than biometrics to roll out.
Best of all, it can complement any existing security technology already in place. The Three data breach is a great example to demonstrate how context-aware security could’ve worked in the real world. If the company’s IT administrators had restricted access to employees’ devices or restricted access to on-site computer terminals, the system would’ve denied access to the hackers — despite the fact that they were using a legitimate employee’s login — because they would’ve logged in from a non-IT-approved computer or location.
The employee to whom the login credentials belong would’ve received an alert saying the system had detected suspicious use of their details, giving that employee the chance to change their password quickly, and the company would’ve saved themselves the aggro of leaking 6 million customers’ private information.