Passwords are no longer enough to protect critical data

entry-screen

Protecting sensitive data – be it installing a system, or managing information on behalf of in-house or third-party clients – has never been more important in a world where top-secret US files can find their way onto the web via WikiLeaks. With the explosion in mobile data access thanks to the wave of portable devices hitting the market in recent years, its high-time thought was given to whether the authentication solution you have in place is still fit for purpose.

Recent research by Forrester Consulting on behalf of Symantec suggests it might not be. The survey, which covered more than 300 businesses, found that a third were still happy to rely on the very weakest form of authentication – passwords – to grant external access to their networks. The report’s authors described the use of traditional password verification as “antiquated” in the era of Cloud computing, collaboration tools and smartphones, and I’d have to agree.

One reason for this is that even this most basic level of authentication is frequently misused. People remain the weakest link in any security set-up and in a bid to beef up protection passwords have been lengthened and made more complicated.

As humans, the majority of us leading hectic lives simply can’t remember long strings of numbers easily, with the result that they get written down or simplified (where possible) rendering a weak form of authentication redundant in security terms. Forrester also found password issues are the top access problem businesses face, with forgotten passwords common. Factor in lost time and productivity, password resets cost on average £25 at the very least.

Putting aside the enormous reputational risk you run if data is compromised due to weak password protection, there’s now a significant cost of another magnitude to face. Last November the Information Commissioner’s Office demonstrated beyond doubt that it is far from a toothless tiger, hitting Hertfordshire County Council with an eye-watering £100,000 fine, relating to the accidental distribution of sensitive personal information to the wrong recipients. Given this, now is very much the time to challenge the status quo.

The question is not so much what is the best authentication solution (although most are preferable to a login and password set-up) but rather how you wish to use it; what you’re using it for; how risky an environment you’re operating in; and how frequently you’ll be using the solution, as employees who maybe use it once a month will forget what to do if its particularly complicated, nullifying the benefits of being able to access data remotely or on the go.

So what are the alternatives? Smartcards and key codes can’t address remote or mobile authentication. Tokens, which generate a One Time Passcode, are a secure, and now familiar authentication technology. However, the acquisition and maintenance of these hardware devices comes at a cost, which has become significant in recent years as more employees demand to work from home. Usability of such a system is also relatively low due to the need for users to carry around an additional piece of hardware to ensure authentication and data access.

Biometric authentication is an interesting development but to my mind will probably remain niche for the foreseeable future. Solutions that send a SMS to a device, such as a mobile, are certainly ahead of passwords in terms of performance but can’t provide 100% authentication as devices can be stolen and cellular coverage is sometimes patchy. To that end there are a number of visual options in the marketplace, where users remember a shape, face or pattern rather than password to generate a One Time Passcode.

Studies by UCL’s Department of Computer Science in London have found that people find it much easier to remember a pattern than a string of numbers. Being software based there are also advantages in rolling out this extra layer of security quickly across networks, and a cost saving as there’s no need to purchase or deploy tokens.

Regardless of what you opt for, by far the most important thing is to make sure it’s as intuitive and accessible to the end user as possible, less it be circumvented. With ever increasing regulation and the threat of hefty fines, now is the time to make sure you have the correct authentication in place.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Stephen Howes is an experienced IT director with a background in software engineering and has over 20 years experience designing and developing software for a variety of highly regulated markets. In 1996 Steve joined one of the UK’s first ISPs, Unipalm Pipex (later UUNET), becoming the Director of Global Product Engineering and Infrastructure Systems. As part of this role, he was at the forefront of developing internet infrastructure for over 65 countries, delivering core infrastructure systems to ISPs, multinational companies and Governments. Steve later moved on to become Managing Director of Tesseration, the IT Consultancy and software Development company, before going on to co-invent GrIDsure and become the company’s CEO.