To avoid cyberattacks, we need to think differently

Companies are spending more on cybersecurity than ever before. That’s good—because users are just one click away from triggering a cyber-incident.

According to Gartner, an information technology research and advisory firm, worldwide cybersecurity spending could reach $76.9 billion in 2015. By training users on cybersecurity best practices and deploying smart technology, we’re better prepared to thwart cyber incidents. Still, these incidents are becoming larger, more frequent, and impacting corporations and consumers like never before.

What’s our weakest link? Password authentication. On a daily basis, we log into multiple systems, from corporate e-mail to personal email to social media sites, with user IDs and passwords to authenticate and gain access. But our passwords are too numerous and too complex to remember, so we share them among various systems, use simple logic to remember them, or carelessly write them on post-it notes.

To strengthen password authentication, we’ll need to think differently:

• Soon we won’t need to remember passwords. Instead, we’ll use one-time passwords through security tokens that change at set time intervals. Many already use this technology to log into high-value bank accounts, and some larger companies already use it for employee logins.
• And we won’t need to change passwords. How’s that for amazing? The solution has been right there at our fingertips. Many smart phones already use fingerprints to log-in, purchase, and pay. Even Microsoft is planning to provide an option to log in via fingerprint, face, or iris detection in its next operating system release.

Getting rid of user-defined passwords will solve many of today’s cybersecurity problems that affect both individuals and organizations. But organizations are faced with a second weak link: they rely too much on their users.

Organizations encourage employees to use strong passwords and safe security practices such as not introducing malware, but an authorized user’s actions can bypass expensive security defenses. It’s not that users are incompetent or have malicious intent; it’s that hackers have become experts at tricking them to click on malicious links, download malicious malware, or divulge their passwords. Again, we need to think differently:

• Should users be able to log in from anywhere or from any device? Most users log in from 10 or fewer sources. Consider enabling an approved login source (device or IP address) and requiring secondary approval for access from other locations. This is especially relevant for users that have administrative or sensitive access.
• Should users be able to log in at any time? Access is great, but do your employees really need to log in 24/7? Should we trust users to not click attachments in emails, or should we quarantine emails with attachments first and check for known malware signatures before releasing them?

The final weak link has to do with data protection. Data is like water; it leaks and evaporates into clouds. The irony is, while organizations are fiercely trying to protect their data, they don’t typically know where it’s stored.

The practice of sharing confidential and private data needs to be revisited. For example, when applying for a loan, it’s normal for the credit issuer to get a copy of your credit report. The issuer is looking for your debt-to-income ratio, your payment history, and other select statistics, yet they get a full report with all of your loan and credit card numbers. Is that necessary? Couldn’t the credit bureaus just provide a summary report? The more we share personal data unnecessarily, the higher the risk of breaches.

The majority of today’s security breaches result from users, their security practices, and the unnecessary sharing of data. Warren Buffet once said, “It takes 20 years to build a reputation and five minutes to ruin it.” If you think about that, I think you’ll agree that it makes sense to think differently about cybersecurity.