Why employees are a businesses weakest link

“People are our greatest asset,” proclaim companies all across the land – but that motto would perhaps be most appropriate to Hacker Incorporated, the loosely-affiliated organisation of cyber-baddies that has made a very successful business of invading computers and networks, for fun and great profit. According to Statista, there were over 1,000 data breaches which compromised 1.9 billion data records in 2016 – compared to just 784 in 2015.

Once all records are compiled, 2017 is bound to be worse.

Why is this happening? Companies spend billions annually on cyber-security, but things only get worse.We contend that it is because of the bad authentication tools given to employees. Employees are the likely weak link in an organisation, because they are required to rely on passwords to authenticate themselves in a system.

The requirements for effective cyber-protection in a password-based authentication system are too difficult for even the most security-conscious employee to fully observe.
Authentication consists of three basic elements – what you know, what you have, and what you are. Each has their strengths and weaknesses.

>See also: The threat from within: how to prevent employee collusion

Password authentication is an example of what you know, but it is also very vulnerable to hack attacks. It’s risky for organisations to use it as their main method of authentication.

Why? If you can know something, so can a hacker, and hackers have very sophisticated methods of stealing authentication data from employees – such as with a socially engineered phishing scheme. Phishing is now the number one way for cyber-crooks to deliver malware – and to invade servers. In order to get access to the treasure trove of information on servers, a hacker will often use a socially engineered phishing attack to get a user to click on an attachment or a link.

That action triggers installation of malware, such as a keylogger, which records and sends back authentication information. According to industry experts, a whopping 85% of organisations said that hackers tried to attack them with a phishing scam in 2015.

If passwords are so weak, why do so many companies rely on them? It is often a matter of “this is what we are used to”, that prevents implementing a new system considered difficult and onerous. Given the situation however, companies really have no choice but to look at alternative methods.

>See also: The insider threat: 5 things to do if your employee has gone rogue

An alternative to “what you know” authentication is based on “what you are”, involving the use of biometrics, such as the thumbprints used by Apple, Samsung and others to unlock mobile devices. Ostensibly this should be more secure than “what you know” authentication, as it is harder to steal a body part than a piece of data. But according to NIST (the National Institute of Standards and Technology), biometrics as they stand now (based on thumbprints) can be useful as an authentication factor, but it should not be relied upon as a primary factor. Thumbprints, for example, could be lifted and fabricated into a “fake thumb”.

What’s left is “”what you have” authentication. This involves authenticating employees via a device or token they have. While stealing data is easy, and even thumbprints can be compromised, a device in the hands of a user is much harder to duplicate. Here, there are no passwords to remember, so the extensive and expensive rigmarole in which employees have to go through time-consuming and often wasteful changing of password processes is dispensed with.

Instead, two strong factors are combined to protect users from hackers’ tricks. Note, however, that not all password-free authentication methods are created equal; many of them are vulnerable to the attacks described above.

There are several methods of “what you have” authentication. One example of that type of authentication is text (SMS) messages – where a site will send a text message to a device in the possession of a user that must be typed in for authentication to take place. Usually this is used as a second factor for “what you know” password authentication. But it’s not enough to make passwords more secure, according to NIST; in its latest draft proposal on security, the organization said that SMS should not be used as an authentication method, as messages can be stolen or spoofed.

>See also: How to manage and mitigate insider threats?

Hardware tokens are another example of “what you have,” and hackers would likely have a hard time getting hold of the physical devices that are required to log in using this method. Yet hardware tokens have been dropped by most companies – also due to ROI issues. Supplying the tokens, maintaining them, and accounting for them is a huge expense, and inconvenient for users.

According to one study, companies can halve authentication costs by doing away with hardware tokens. Additionally, phone sign-in is a “what you have” alternative, where a device is used to authenticate the user via an app without any password. Much more convenient for users, as there is nothing they need to remember/change/update, and bad news for hackers, because there is nothing for them to guess/steal.

To ensure even greater security, phone sign-in paired with information theoretic solutions such as “secret sharing” – a keyless authentication platform based on deep cryptography and invented separately by two top scientists, makes the odds of a hacker getting a hold of authentication data to be infinitesimal. Secret sharing splits up authentication tokens in such a way that it is virtually impossible for hackers to capture a token, either on the device or when it is in motion.

>See also: Insider threat: most security incidents come from the extended enterprise

That would be a far cry from what goes on today, when it’s relatively easy for hackers to abscond with user credentials that give them access to company servers. Alternative authentication systems really make them work to get that information – and if they have to work too hard, many of them will go away. Secret sharing has proven itself; it’s powerful enough to protect nuclear weapons, yet flexible enough to be developed into a system that can protect data.

A secret sharing-based security method that replaces passwords mean more security, not less – and if there’s anything needed today, it’s something to close up the many security failures “what you have” authentication has wrought.

 

Sourced by Raz Rafaeli, CEO of Secret Double Octopus, a mobile-based keyless and password-free authentication

Avatar photo

Nick Ismail

Nick Ismail is the editor for Information Age. He has a particular interest in smart technologies, AI and cyber security.