While hosting a panel on security this week, I talked to Johnathan Nguyen. Nguyen is in charge of the Data Breach Investigation Report at Verizon. He came out of government to focus on enterprise security. One thing we discussed was the massive migration of security professionals out of the U.S. Government to high paying security jobs in the enterprise (some are promised both a significant increase over their current pay, but guaranteed 20 percent annual raises just to get and hold on to them).
Nguyen about how boards are increasingly bringing on security experts so they can be sure security exposures are fully fleshed out and mitigated by technology and insurance. And we spoke about the many firms that believe themselves secure because of the amount of money they spend on security, not on whether the stuff actually works or not.
Two things stood out for me, though. One is that if you implement a strong dual or triple-factor authentication process you can mitigate around 50 percent of your exposure (which is tied to unsecure passwords and IDs). The second is that the U.S. has implemented a kinetic response rule which is likely to be copied by other companies and massively increases the exposure for an attack.
Let’s talk about both.
Biometric multifactor authentication
Back in the 1980s, a massive study determined that passwords and IDs were inadequate. This was before the Internet and based almost entirely on mainframe users. The study showcased that it didn’t matter how much security you wrapped the system with, if users accessed it with passwords it wasn’t secure. Forty years later passwords remain the most common way we access secure information, which means the “secure” part of this sentence is a joke, and not a particularly funny one.
Just by implementing and requiring solid multifactor authentication much of the user-based exposure can be mitigated because it is largely through purloined passwords and IDs that attackers are gaining access to secure information today, according to the Verizon Study.
This suggests that it is critical you move to some form of secure multifactor authentication for all client devices as soon as you can. Doing so may increase your chances of preventing the next Sony or Target breach from landing on your desk.
Fortunately, this year everybody and their brother is bringing out systems with this technology installed. Fingerprint readers in particular have become far easier to use and far more reliable of late. But you have to use them, one of the concerns is that companies that buy PCs with biometric security technology often don’t use it and that could look pretty negligent after a breach that reaches your board.
Sign up for CIO Asia eNewsletters.