We’re in dangerous waters with Cybersecurity. For decades, IT leadership has been focused on battening down the hatches, patching holes, and bailing out the water as fast as we can when it comes to protecting our digital treasures. But, let’s face it! It’s not working. Anyone who looks at the growing costs of cybersecurity breaches can tell you that, unless we start doing something different, we’re eventually headed for Davy Jones’ Locker. It’s time to chart a new course!
Now, I know that analogies can sometimes oversimplify complex issues but I find they are a good way to help frame problems and let people wrap their heads around important issues. So, indulge me a bit as I continue describing some of the ways that today’s organizations are attempting to combat cybersecurity threats and why they are prone to failure:
Battening down the hatches – For many organizations, a key part of their cybersecurity strategy involves corralling sensitive data inside the walls of their corporate network in an effort to keep that information safely under control. Unfortunately, that control is often tenuous at best and more illusion than reality. Even in the most secure environment, employees will find unauthorized ways of getting data into and out of a company’s network.
Why would good employees do that? It’s pretty simple. We’ve restricted what, where, when and how they access information needed to effectively do their jobs. We’ve managed to make our already overworked staff even less efficient. So, what do resourceful employees do? They find ways around the onerous protections we’ve put into place in order to continue to meet deadlines, satisfy management expectations, and to stay ahead of their workload. You can bet the hackers out there are just as resourceful and rather motivated stowaways.
Patching the holes – If you like beating your head against the wall day in and day out, get yourself assigned to one of the patching teams responsible for ensuring all of your enterprise systems are properly protected from the endless stream of security vulnerabilities reported each day. It’s a never-ending job that is both necessary yet destined for eventual failure. By nature, most technology is in a state of constant change that stretches from the operating systems running on our laptops to the numerous applications driving our back-office systems.
For those not familiar with cybersecurity terminology, there is an expression called “zero-day vulnerabilities”. It is a term that describes the thousands of unresolved vulnerabilities discovered every day in the software that we use. These are vulnerabilities that are often known only to the bad guys up until the point they are publicly exploited with disastrous consequences for the victims. How do you patch a hole that you don’t even know exists? Zero-day vulnerabilities are a fact of life and, while you can attempt to patch the holes as fast as they are discovered, there will always be leaks that you are simply unaware of until it’s too late.
As for the hackers, finding zero-day vulnerabilities are not only a sure way of making a few bucks on the dark web, being the first to discover one is often viewed as a badge of honor amongst their peers. For the hacktivists, it’s about righting what they see as injustices in the world perpetrated by both individuals as well as corporations. The point I’m making is that the motivations of the hackers out there are often driven by a passion that far exceeds those on the side of stopping them.
Bailing out the water – One thing we’re really good at in the IT industry is creating piles of best practices aimed at reducing the potential damage when things do go wrong. This includes solutions like requiring users to frequently change passwords; deploying multi-layered firewalls; implementing complex network access controls; restricting the use of mobile devices; and the list goes on. None of these practices are necessarily a bad idea but we’ve grown to rely on, what are effectively, bilge pumps because we can’t identify and stop all the leaks. Even worse, draconian best practices that make the lives of our employees more difficult are ultimately going to fail in spectacular fashion as people find ways around them – it’s human nature.
Okay, I can already see some of the crew are threatening mutiny and shouting, “You’re nuts! Our networks and data have never been more secure than they are today!”
To be fair, I’ve deliberately incited at least a few of you to make a point. There is a lot of truth to those statements – things are more secure today than they have ever been in the past. Yet, the evidence shows that statement is also misleading and a bit foolhardy. At best, we’re just keeping our heads above water and crossing our fingers that we aren’t the next victimized company who ends up with their name plastered across the front page of CNN.
What is abundantly clear is that, if we plan to stay afloat, we need to shift our focus and chart a new course. We need to reexamine cybersecurity at its roots with an eye towards identifying, understanding, and then addressing the underlying weaknesses in our current strategy:
We need to secure people first. How much safer would we all be if you knew with near 100% certainty who was accessing our company network, applications, and data? In decades past — before the days of remote access, telecommuting, and even the Internet — it was easy. Employees generally had to be physically present in order to lay hands on data of any significant value. In today’s increasingly mobile workforce, relying solely on someone’s physical presence is simply not practical. Unfortunately, when it comes to remote access, the use of usernames, passwords, PINs, and even two-factor authentication do little to guarantee the identity of who’s on the other end of the wire. Authenticating users by things they know (e.g., passwords) or things they have (e.g., two-factor authentication) will always be vulnerable to theft.
The best way to secure people first is through the use of multi-factor biometrics – authenticating the user based on who they are. This includes facial, voice, fingerprints, iris, and a number of other biologically driven mechanisms that can positively identifying an individual. However, biometrics are only as secure as their implementation. If you store someone’s biometrics on the very devices they are intended to protect (e.g., your phone or laptop), you are essentially leaving the keys in plain sight. You wouldn’t intentionally leave the keys to your car in the ignition and neither should you leave your biometrics on your phone, laptop, etc. It’s imperative that the keys to an individual’s digital identity are kept separate from the devices that use them for authentication.
Some naysayers of biometric authentication point to the fact that since you can’t change an individual’s biometrics, traditional passwords are safer. To that, I say, hogwash! For one thing, if done properly, it’s FAR more difficult to steal someone’s physical biometric details when the bad guy is located on the other side of the planet and those details are stored only in a location that the user physically controls. Secondly, let’s not throw out the baby with the bathwater. There are some good things about passwords — namely the fact that they can be easily changed. Combine multi-factor biometrics with something like an automated password token (that the user also never needs to see) and you end up with an extremely secure form of two-factor authentication. That equals convenience plus better security!
Secure data first, then the storage platforms and networks they traverse. It’s always been interesting to me how much effort companies spend on securing networks and controlling access to back-end systems – all under the umbrella of protecting data. What’s interesting is that those efforts rarely do anything to secure the actual data itself. The entry points are secure, but once you’ve hacked your way past the network and access controls, most of the data is laid bare and becomes easy plunder.
Encryption needs to play a much more prominent role in protecting data and needs to include a strong audit trail – a chain of custody. You should always be able to know with certainty who has what data and where it’s been! One way to do that involves the use of biometric authentication combined with an always encrypted approach to storing data. Usernames and passwords, simply don’t cut it if you want to guarantee someone’s identity when accessing sensitive data! Let biometrics control access to the keys used to encrypt and decrypt the data. Consider incorporating capabilities such as time-limited access; data that self-destructs after a specified retention period; self-auditing data, etc.
Stop fighting human nature. You will always lose! I saved this one for last because it has far-reaching implications. Let’s face it, humans are hardwired to be lazy. It’s just a biological truth. Virtually all living organizations will choose the path of least resistance or effort whenever possible. You give a group of individuals the choice between convenience and security and, if left to their own devices, convenience will win out every time. It’s one of the reasons those handy-dandy smartphones we all carry are so easy to use but woefully lacking in terms of security. Unfortunately, many cybersecurity policies and best practices do anything but make a user’s life more convenient. Thus, users find ways around them. Have you ever written a password down on a piece of paper? We must stop sacrificing user convenience for security. Users will find workarounds to anything that makes their lives more difficult or less efficient. Solutions, such as biometric authentication, that improves security, as well as user convenience, are essential examples of this type of philosophy.
Identity is a company who is on the forefront of solving many of the above challenges and is actively changing the paradigm under which we view cybersecurity. Want to learn more about our solutions, including the new Identity Card platform? Checkout the rest of our website.
Take a look at our Blog post to get a quick rundown on our solution. Break-thru Tech
And check out our next blog post “What you should look for in a Password Manager”. What to Look For
If you valued this article and want more, please sure via your Twitter, LinkedIn, Google+, Facebook, and other social media outlets. I encourage you to join the conversation or ask questions so feel free to add a comment to this post.
You can also find me on Twitter at @NewFrontierCIO for more commentary on the frontiers of technology, leadership, space exploration, and science.