According to recent research, a significant number of UK businesses still rely on basic, outdated security methods to protect not only customer data, but their own internal company data too. This is despite warnings and countless high-profile examples of how passwords no longer cut it when it comes to fending off the ever-creative, ambitious and opportunistic hacker. Richard Parris, CEO at Intercede examines the extent of the security problem, and explores the most effective approach to protect consumers and digital commerce from the threat of cybercrime.
How many of us would walk into our local supermarket and freely tell someone working at the checkout our address, food preferences, date of birth, and debit card details? The likelihood is, not many. Yet when most of us go online to order our weekly food shop, sign up to a new TV streaming service, renew insurance, book theatre tickets, or pay for holidays, we regularly provide companies with a whole host of information, as well as data on our browsing and buying preferences.
The weakest link
So why is it that we continue to so readily give away all this information to businesses over the internet? Perhaps because we assume that as these businesses collect and have access to so much of our sensitive data, that they must exercise the utmost security to keep this safe from cyber criminals? Unfortunately, findings from a recent study we conducted suggest this is far from the case.
Although shocking, our findings are simply more evidence of a current digital climate typified by lax security. We’ve seen a string of high-profile hacks in recent years, of companies which thousands of consumers trust with their personal and financial details: Equifax, LinkedIn, the AA, Wonga, Yahoo – the list goes on.
Although the reasons behind these hacks may vary, there is a strong likelihood – and our evidence suggests – that there is one common, weak link: the password.
Playing Russian Roulette
Security experts have long warned consumers of the inadequacy of the simple password/username combination as a means of secure authentication. Verizon’s recent Data Breach Report found that 81% of hacking related breaches are via the exploitation of stolen or weak passwords. However, it seems that it is not just consumers who need to heed this warning, but also those who we entrust to look after our data: UK businesses.
Recent research from Intercede found that 86% of individuals responsible for managing computer systems (those with ‘systems administrator’ access) within major UK companies use only the most basic username and password authentication to access and protect their main business account on-site. Of this respondent base, 17% are using only simple passwords, despite recent warnings to consumers about the need to make passwords as complex as possible to protect their data from the prying eyes of cybercriminals.
The worst culprit? The retail sector, in which 92% of those with systems administrator access are still using passwords as the primary form of accessing a computer system. This throws into grave doubt the security of online shopping, and consumers should perhaps think again before so readily giving away data to yet another online retailer.
If the individuals primarily responsible for managing business IT infrastructure (those who essentially hold the keys to the kingdom) can’t be trusted to properly secure access to their accounts, then how can consumers trust those businesses with their personal data? The figures from many of the high-profile hacking incidences should act as a warning signal for businesses to change tact and tighten up security; Virgin Media asked 800,000 customers to change their passwords following a security breach in June, whilst Yahoo admitted this year that one billion user accounts were compromised as a result of the 2013 hack.
Interestingly, many businesses do seem to realise that they are not properly securing their systems. Half of respondents in our research felt that business user accounts in their organisation were ‘not very secure’. There are far more effective, robust methods of securing computer systems than the humble password, so it is down to businesses to take action to ensure that consumer data is secure.
Biometrics is beginning to emerge as an alternative security method to the password, for a wide range of consumer and business applications. Chinese phone manufacturer Xiaomi launched its Redmi Note 4 handset earlier this year, featuring a biometric fingerprint sensor – following a trend set by Apple with its iPhone – whilst Samsung’s Galaxy S8 comes complete with iris scanner technology which the device owner can use to unlock the handset.
Whilst this marks a promising step forward, not all biometric technology offers strong authentication, nor is resistant to attack. Weaknesses in Samsung’s scanner were proven just months after its release, when a video appeared online demonstrating how with a few pieces of rudimentary tech, the security of the scanner could be circumvented, and access to the device owner’s phone obtained.
It may be the responsibility of a phone’s owner to ensure their handset is secure, but what about incidents of businesses and services using biometrics? HSBC’s voice recognition security system was introduced for telephone banking in 2016, with consumers required to provide their bank account details, using just their voice as a password. However, earlier this year, BBC reporter Dan Simmons was able to fool the system, again highlighting weaknesses in biometrics as a security method.
Possession, knowledge, inherence
Used in isolation both passwords and biometrics are ineffective. It creates a weak point of entry for hackers, comparable to leaving home but leaving your keys by the front door. A cyber criminal can easily obtain the ‘keys’ to a computer system or device, so further authentication is required to ensure that the person trying to obtain access is who they say they are.
The alternative method is strong authentication; an approach that incorporates three distinct elements: possession (something you have, such as a smartphone), knowledge (something you know, such as a PIN) and inherence (something you are, proved by something like a biometric reading). Hackers have wised up to passwords and biometrics, which should no longer be used as the only means of securing a system or piece of hardware. Instead, businesses should adopt this three-pronged approach as the safest way to make sure consumer data is safe from cyber criminals.
At present, too few businesses have taken appropriate action. According to our research, only 6% of businesses use virtual smart cards and PINs as an additional means of authentication on-site, and only 2% use facial recognition.
Time to toughen up
The hacks we’ve seen over the past 12 months alone demonstrate the scope of sectors and organisations that are susceptible to cyber breaches, meaning a real sea change in businesses’ approach to security is required. Enhanced technology to replace the password has been around for quite some time, it is just the willingness to implement it that is currently lacking.
It’s clear many businesses are not taking cyber security seriously enough. This could not only prove damaging to a business’s bottom line, but – considering the wealth of consumer data many businesses have access to – their customer’s lives and finances too. If companies continue to be stung by similar hacks to those we’ve seen previously, consumers will lose trust, stop using their services and move to a different provider.
Furthermore, it is no longer appropriate for service providers to roll out the standard response that consumers need to take more care of their passwords to protect themselves against the sloppy behaviour of their suppliers. Better for service providers to implement new security paradigms that shift the balance of risk away from the consumer. Let’s end the security disenfranchisement of consumers and demand that our trusted service providers do indeed act as if they were trusted and invest in the best interests of protecting their customers.
Instead of thinking ‘it won’t happen to me’ and waiting for the inevitable, businesses must take a proactive approach to security, and implement multi-layered, robust authentication methods. Changes to EU law should help fuel this shift, when the General Data Protection Law (GDPR) is adopted next year. From 25th May 2018, businesses can be held criminally liable for failing to adequately protect consumer data. Those found to be in breach of the new ruling can be fined up to 4% of annual global turnover or €20 million, whichever is greater.
Consumer trust in businesses must be maintained, and this will only happen in line with a reduction in cyber hacks. Organisations have sat idly for too long, yet the run-up to GDPR offers an opportunity to tighten up security, to protect themselves and their bottom line.
Richard Parris, CEO and Chairman of Intercede
Image Credit: Alexskopje / Shutterstock