Next to your employees, your organization’s data is its most important resource. A data breach can devastate an organization’s finances and reputation for years.
According to the 2019 Cost of a Data Breach Report, conducted by Ponemon Institute, the average total cost of a data breach in the U.S. is close to $4 million, and the average cost per lost data record is $150.
Hackers are more sophisticated than ever and the value of data seems to rise every day. In fact, McAfee believes that 92% of organizations unknowingly have credentials for sale on the Dark Web or “dark net.”
There’s no wonder why the days of securing a computer, application, or website with a basic username and password have long passed. In its 2019 Data Breach Investigations Report, Verizon reports that weak, default, or stolen passwords are the reason for 80% of hacking-related breaches.
Effective data security now requires a holistic, multi-faceted approach. Advanced authentication, or multifactor authentication (MFA), is becoming the norm because it adds a layer of security to the standard username and password. Multifactor authentication can be something as simple as a user receiving a code that is texted to them on a smartphone. That additional security layer is crucial for protecting data, as well as complying with strict government regulations, like HIPAA and PCI-DSS.
HIPAA fines and penalties can put a healthcare practice out of business, as these fines and consequences can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation.
Unfortunately, advanced authentication can get tricky when it affects the ease of accessing information. So much of today’s technology centers around “user-friendliness”, but many organizations find it tough to strike the right balance between access and security.
Overcomplicated login processes can result in unsafe situations. Think sticky notes with passwords written on them stuck to computer monitors. Very complex login processes also increase calls to help desks for password resets, and productivity can be lost while users wait for those resets to happen.
Luckily, solutions exist that allow organizations to effectively secure their data, adhere to compliance pressures, and keep access simple for users. The best identity and access management products allow organizations to customize authentication factors on a per-user, per-application, and per-group basis.
Some groups with advanced rights, such as administrators, can be configured to require extra factors of authentication, since the data they possess requires additional security measures. User groups with access to less sensitive data can be configured for lower levels of authentication. A simple username and password may be enough.
Configuring on a per-application basis is becoming increasingly popular. Applications containing sensitive financial information can be configured to require advanced authentication, regardless of which user is accessing the data. Additional factors, like time of day, location and device type, can also be criteria for consideration.
Forbes reported in October 2019 that the FBI issued a Private Industry Notification offering examples of tools and techniques that hackers are using to combat MFA. These techniques include web hacks, straightforward SIM swapping, and tools, such as Muraen and NecroBrowser. The Bureau noted that MFA was still a strong tool, but urged companies to increase their levels of user training and to consider deploying biometrics to assure user identities.
In general, it’s also a good idea to have your authentication process evolve, as what was an effective authentication tool last year may not be this year or even this month. Hackers’ abilities evolve as a reaction to new technology.
It is also important to track the success of the authentication tools used, according to Security Intelligence. It reports that those businesses with such a tracking program in place may be in a better position to both protect against cybercrimes and deliver a quality user experience.
Protecting your organization’s precious data doesn’t have to be difficult or expensive, but it is imperative that it’s done—and done right. Take steps today to shore up your organization’s data security practices.
Managing Director
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.