In the past year, it seems there were more and more articles and surveys that place most of the blame for data breaches on people. While it is true that decisions and actions by end users play a vital role in security risk, blaming people seems unfair, especially when most security tools increase the friction they must endure just to get their jobs done. I would argue that passwords are the problem, not your people.
A BRIEF LOOK AT HISTORY
The use of passwords as a security control in computing is nearly 60 years old. The first use of a password in computing was likely at the Massachusetts Institute of Technology where researchers built a time-sharing computer. The concept started simple enough — a secret word or string of characters used to identify and grant access to a valid user of a computing resource.
For a long time passwords worked just fine as a security control, especially in the personal computer era when applications and data were confined to the local disk & storage on a PC. They were even ok in early networked environments because those networks were private, self-contained and protected by traditional network security controls.
The internet era and more recently cloud and mobile computing, characterized by broad network access and data accessible over the public internet, highlight the limits of the humble password. More and more of our personal and professional work is conducted online in SaaS applications, involving valuable data that is attractive to determined attackers. The 2017 Data Breach Incident Report from Verizon found that 81% of hacking-related breaches leveraged weak, default and/or stolen passwords, underscoring the value of passwords to the bad guys.
We’re long past the useful life of passwords — we just haven’t decommissioned them yet.
PASSWORD-RELATED SECURITY RISK
Passwords alone are not an adequate security control for a number of reasons. They are susceptible to attack through low tech methods like shoulder surfing (exactly what it sounds like) to more sophisticated techniques like keylogging. For many years, phishing has remained one of the most common attack methods. Phishing is typically carried out by sending an email using a deceptive sender address (usually something familiar or trusted) directing the recipient to enter their user credentials into a fake website that looks identical to a valid site. An interesting threat analysis brief published by SecureWorks highlights how threat groups can use URL-shortening services to effectively hide malicious URLs. It’s common to blame users when they fall for phishing attempts but the truth is that most technology generally does a bad job of helping people make good choices.
Password reuse is another practice that creates security risk. In nearly every study of password habits, more than half of the respondents indicate they reuse passwords for at least some of their accounts. This means that even if your internal password databases haven’t been breached, your organization is at risk whenever passwords from an external service are compromised and dumped onto the internet. This hardly seems fair…you’ve done a good job protecting your data and yet you’re still at risk. The incident history bears this out. Ross Kinder recently wrote about how to respond when this happens.
ADDRESSING THE RISK
As an industry, we’ve recognized the risks that accrue with passwords and made attempts to address the problem. Typically, one of the first steps is to establish standards for password hygiene in security policies. Most of us have probably worked somewhere with a policy that required unique passwords for every application account and complexity requirements that include some combination of password length, upper and lowercase letters, numbers and special characters. The problem with this is that while passwords that meet the complexity requirements are harder for attackers to crack, they are also effectively impossible for humans to remember. For a funny but sad look into this problem, spend a few minutes with the @PWTooStrong twitter account. It’s no wonder users resort to keeping lists of passwords on sticky notes, or password reuse as coping mechanisms.
Another attempt to shore up security involves multi factor authentication (MFA), a method of access control that requires users to present something they know (typically a password) and something they have (usually a rotating or time-based one time passcode) or something they are (ie. a biometric like a fingerprint). MFA has been around since at least the 1990s and in 2001 the Federal Financial Institutions Examination Council (FFIEC) released guidance for banks offering internet-based services to use “enhanced authentication” and advocated for multi factor authentication. In the last 5 years MFA has become more prevalent in consumer services.
The problem with traditional MFA is the negative impact it has on user experience and productivity. MFA is typically a binary proposition — it’s either enabled and on all the time, or it’s off. If it’s turned on, users have an extra hurdle to clear in every sign in attempt – usually entering a one time code from a hardware or software token. This exceeds the frustration budget of most users and many enterprises are conservative in applying MFA as a result.
Therein lies the problem…most of our efforts to address the risk have placed more burden on our users. Asking people to remember passwords that are essentially cryptographic keys is completely unrealistic. Multi factor authentication is a big step in the right direction for security, but it can’t be at maximum friction at all times or users will revolt. The primary motivation of end users is getting their work done and being as productive as possible. Blaming and shaming users when they make mistakes related to security isn’t going to get us anywhere. Instead, security technology needs to do a much better job making it easier for people to keep themselves and your company secure.
IT’S TIME TO DECOMMISSION THE PASSWORD
Modern technology gives us viable alternatives that can be stacked together in the right order to both improve security and make things a whole lot easier and productive for end users.
Learn more about ATC Member Company Blog Post Contributor Groove.Id
Learn More & Stay Engaged with ATC:
What is a liger? Napoleon from the 2004 movie Napoleon Dynamite says, ‘It’s pretty much my favorite animal. It’s like a lion and a tiger mixed… bred for its skills in magic.’ You will have to read through the end to see how this ties into the conversation…
Most entrepreneurs in the tech community have built some sort of technology, platform or algorithm around solving a specific problem. But trying to figure out what the insurance industry considers a technology company vs a ‘tech-enabled’ company can be like splitting hairs. This month’s blog explores some of the nuances with tech underwriting and exposes some room for improvement in the insurance business.
How Do You Make Money?
One of the first questions an underwriter might use to help determine if your company is a tech company or a tech enabled company is how do you make money? If you make money from some sort of SAAS subscription for direct use of the technology, you are likely leaning towards a tech company. Microsoft is a perfect example of a tech company since they’ve created an operating system and offer customers software suites for use on a license or subscription basis. On the contrary, if you make money as a percentage of a sale such as a real estate tech or insurtech company, chances are you are more of a ‘tech-enabled’ company. This is not the end of the conversation, but it is a start.
What Is It You Say You Do Here?
To an underwriter, a tech company might be easy to classify if your company is a classic dev shop or a traditional SAAS company. In today’s language, it might take the form of companies focused on AI, quantum computing or blockchain technology. To an underwriter, tech-enabled means there’s a (insert traditional type industry) at the core of your company. Despite having proprietary tech that improves the user experience at the core, what service do you provide? For example, a bank that offers online bill pay, remote deposit, a variety of AI, chatbots, algorithms, and/or APIs will not be considered a tech company in today’s insurance terms because at the core, it is still considered a bank.
Sharing Economy Can Be Tricky…
This is where we get into some grey area when it comes to platforms in the sharing economy. I have had many companies tell me they are the ‘Uber of (fill in the blank).’ At first glance, these companies look, feel and smell like tech companies. Consider the Uber example. Uber connects a driver to a rider so they can quickly get from point A to point B. Despite the fact that Uber uses proprietary technology, has a network of drivers, and does not own the vehicles or directly employ the drivers, some carriers still consider Uber to be a sophisticated taxi company. Strange, right? An underwriter likely considers Uber a tech-enabled taxi company with outsourced drivers. The likely claims scenario is the driver getting into an auto accident rather than the technology failing. Evidence of this can also be seen in the types of policies they carry when viewing it from an insurance perspective.
The Insurance Industry Has Room for Improvement:
In full disclosure, there is certainly room for improvement in the insurance industry. I represent companies who are comfortable with some of the most cutting-edge tech and tech-enabled companies. Don’t get wrapped around the axle if you wind up getting classified in the industry you serve. There are only so many SIC codes available in some of these systems, and a few new ones need to be created. Carriers are also still working on gathering data. Whether you’re a lion, a tiger or a liger, you are still ‘bred for your skills in magic’ when it comes to your industry. It’s only a matter of time before a class code is created for sharing economy platforms and blockchain technology among others.
Learn More: ATC Member Company Lumen Insurance
For more insight visit theirBlog: https://www.lumeninsure.com/blog/
SXSW 2018 is over…and, with it, the excitement, media coverage, long lines, non-stop networking and sleep deprivation that make this gathering the preeminent technological exposition in the world. But, as the world moves on, how do you sustain – and even accelerate –momentum beyond the attention you were clever enough to score last month?
Beyond the obviously newsworthy product launches or funding round announcements, you probably have lots of stories to sitting right under you nose, waiting to be told throughout the year.
A noteworthy hire, a major customer win, a marketing or sales milestone, a philanthropic partnership…each of these have real news value. The trick is to identify the media gatekeepers who are most likely to be interested in each story and to differentiate your “pitch” from the scores of others that these gatekeepers receive on a daily basis.
Another effective strategy to sustain your company’s editorial momentum is to get in front of issues that are of particular importance to your stakeholders. How about writing a bylined article with a compelling point of view for an influential trade publication or website? Alternatively, offer journalists access to company spokespeople who has a distinctive perspective on an emerging issue within your industry.
Fortunately, Spry’s on-demand PR network (http://www.sospry.com) has you covered. The tech world moves faster than any other industry. You have neither the time nor the money for an ongoing retainer or full-time hire. But as the world’s first on-demand mobile PR network, we give you instant access to a diverse network of communications and journalism experts.
More importantly, our proprietary algorithm will instantly match your need with an expert who understands your unique niche, the angles that resonate and the media gatekeepers.
First step? Download the Spry client app (https://apple.co/2FW12I1). Then, choose from our menu of services: news release, blog post, bylined article or fact sheet. Answer a few quick questions about your news and specify your deadline. If you need a comprehensive list of print and broadcast journalists and on-line influencers who are most likely to be interested in your news, we’ve got that covered, too.
For a limited time, ATC members are entitled to a 50% discount on each order.
Just use code ATXSPRY50 when you place your first order.
SXSW may have ended, but with Spry, your momentum is just getting started!