In the early 1900s, Henry Ford discovered and addressed the weakest link in auto manufacturing: the production process. By creating the assembly line, Ford not only made the Model T widely available and affordable, but he also precipitated a global revolution in manufacturing, reshaped commerce and mobilized the world.
If you think of the world’s greatest inventions, such as Ford’s assembly line, you will find they all successfully address the weakest link in their respective fields. But when it comes to avoiding a data breach and improving security, what is our weakest link? Unfortunately, the answer is people.
Our heavily reused “123456” passwords or our susceptibility to clicking on phishing emails is not the biggest problem. One of the most significant hurdles is our lag in adopting technologies that truly target identity and access management (IAM) threats.
The Proof Is in the Pudding
The Verizon “2016 Data Breach Investigations Report” found that 63 percent of confirmed data breaches involved leveraging weak, default or stolen passwords. You can interpret this finding in one of two ways: The first and most obvious way is that 63 percent of data breaches are due to careless users. In fact, the report stated that the common threats associated with attacks involving legitimate credentials were, among others, stolen credentials and social phishing.
Now, the other way to interpret the statistic is to consider that if something as simple as stealing a user’s credentials is enough to expose sensitive information, organizations are not sufficiently utilizing intelligent access management practices.
I agree with the latter reasoning. Henry Ford did not lay blame on his plant workers for being the weakest link in his manufacturing process. Instead, he developed the technology that enabled his employees to work eight times faster — and therefore cheaper — than they could before.
Similarly, we should not blame end users for being the weakest link in security. Instead, we should acknowledge that users are the victims of sophisticated, continuously evolving malware and tricky phishing scams. We should enforce appropriate policies that can control access beyond easily stolen usernames and passwords.
Authenticating Beyond the Username and Password to Prevent a Data Breach
Back in 2004, Bill Gates predicted the death of the password. But now, 12 years later, it seems like we are clicking on “forgot password” more than ever. Given the rise in major data breach reports in recent years — and the role that stolen credentials play in those incidents — it is clear that many current access technologies might have been appropriate 12 years ago, but not today.
It is more important than ever to authenticate beyond username and password. Enforcing risk-based access policies can dynamically step up authentication in high-risk situations.
Risk-based access operates under a set of policy rules that determine, based on a calculated risk score, whether an access request should be permitted, denied or challenged. Attributes that impact the risk score of a specific request can include IP reputation, the user’s behavioral patterns, device characteristics and more. For instance, a banking application could take into account both the amount of funds looking to be transferred by a user as well as the user’s physical location to determine if stronger authentication is needed or if the user should be denied authorization to perform the requested transaction altogether.
Risk-based access allows for organizations to create policies that control access dynamically, adapting to the ever-changing ways users are accessing and consuming information. There are enterprise-grade IAM solutions that secure access points and corporate networks through risk-based access capabilities.
Portfolio Marketing Manager, IBM