According to a few research studies, stolen employee access credentials is by far the leading cause of system hacking cases and data breach incidents which will cost businesses about $2 trillion by 2019. In fact, employee error is responsible for 90% of cyber attacks according to leading industry and government reports. The most common type of employee error is falling prey to a low cost method used to steal sensitive information called phishing or spear phishing when such attacks are a bit more sophisticated and targeted. This method is often a fake email asking potential victims to click a URL and fill out a form on a fake website or click on attachments and links which download malware onto the users’ computing devices leading to unauthorized access, private data theft, stolen intellectual property, and interruption of operations. When successful, this sophisticated attack makes employees (or any other computer user) to unwittingly give away privileged system access credentials and other sensitive information to hackers which facilitate system hacks.
Consider the following survey results regarding password:
The Bad Bews
The bad news is that organizations still allow employees to use passwords for accessing systems, and rely on employees to protect the sensitive passwords. Chief Information Security Officers must constantly worry about training users and launching phishing campaigns to test the knowledge of their employees in identifying, neutralizing, and reporting phishing attacks. It is not the best security option to leave security matters in the hands of unqualified persons.
The Good News
The good news is that organizations and their CISOs have the option to leave users out of the information security business by forcing the policies through system configuration and not let users make any security decisions such as blank or 1 character passwords with weak system security configurations. With advances and cost reduction in identity and access management technology, organizations have now the option to deploy other technologies such as biometric authentication and use the person’s characteristics to identify and authenticate the person.
Two Factor Authentication
Two-factor authentication of 2FA requires users to enter a unique code sent to a second email address of mobile number to be used along with the password for access. However, even when multi-factor authentication is used in some cases such as privileged account access, when password is one of the authentication components, the security of the system is reduced.
Personal USB key
Users simply plug in the USB key into the PC and the profile is loaded to grant access. A browser such as Chrome can be configured to work with USB keys and store all online logins within the master key which means no more memorizing and using passwords in ways that would jeopardize security.
Similar to the USB concept presented above, this password alternative requires employees to carry a piece of pre-recorded information with them which can be incorporated into the smartphone and mobile apps that display a temporarily-generated, unique image on the phone screen that users can hold up to the webcam to authenticate. The image can’t be stolen as each one is randomly generated and lasts for a limited time.
As mentioned above, biometric authentication uses a person’s characteristics to identify and authenticate the person. Biometric technology is advancing rapidly and the market for biometric systems is estimated to increase from $10.74 billion in 2015 to be worth $32.73 Billion by 2022 .
The list of biometric authentication options includes: