In the age of massive data breaches, phishing attacks and password hacks, user credentials are increasingly unsafe. So how can organisations secure accounts without making life more difficult for users? Marc Vanmaele, CEO of TrustBuilder, explains.

User credentials give us a sense of security. Users select their password, it's personal and memorable to them, and it's likely that it includes special characters and numbers for added security. Sadly, this sense is most likely false. If it's anything like the 5.4 billion user IDs on haveibeenpwned.com, their login has already been compromised. If it's not listed, it could be soon. Recent estimates state that 8 million more credentials are compromised every day.

Ensuring safe access

Data breaches, ransomware and phishing campaigns are increasingly easy to pull off. Cyber criminals can easily find the tools they need on Google with little to no technical knowledge. Breached passwords are readily available to cyber criminals on the internet. Those that haven’t been breached can also be guessed, phished or cracked using one of the many “brute-force” tools available on the internet.

It's becoming clear that login credentials are no longer enough to secure your users' accounts. Meanwhile, organisations have a responsibility and an ever-stricter legal obligation to protect their users’ sensitive data. This makes ensuring safe access to the services they need challenging, particularly when trying to provide a user experience that won’t cause frustration – or worse, lose your customers’ interest.

More than a quarter of organisations did not feel ready to comply with GDPR in August 2018
After GDPR was implemented across the European Union, organisations could face a fine of up to €20 million, or 4% annual global turnover

Importance of data protection

So how can businesses ensure their users can safely and simply access the services they need while keeping intruders out, and why is it so important to strike that balance?

After GDPR was implemented across the European Union, organisations could face a fine of up to €20 million, or 4% annual global turnover – whichever is higher, should they seriously fail to comply with their data protection obligations. This alone was enough to prompt many organisations to get serious about their user’s security. Still, not every business followed suit.

Cloud security risks

Breaches were most commonly identified in organisations using cloud computing or where staff use personal devices

According to a recent survey conducted at Infosecurity Europe, more than a quarter of organisations did not feel ready to comply with GDPR in August 2018 – three months after the compliance deadline. Meanwhile, according to the UK Government’s 2018 Cyber Security Breaches survey, 45% of businesses reported breaches or attacks in the last 12 months.

According to the report, logins are less secure when accessing services in the cloud where they aren't protected by enterprise firewalls and security systems. Moreover, breaches were most commonly identified in organisations using cloud computing or where staff use personal devices (known as BYOD).

According to the survey, 61% of UK organisations use cloud-based services. The figure is higher in banking and finance (74%), IT and communications (81%) and education (75%). Additionally, 45% of businesses have BYOD. This indicates a precarious situation. The majority of businesses hold personal data on users electronically and may be placing users at risk if their IT environments are not adequately protected.

Brute force attacks are one of the easiest methods, but criminals also use increasingly sophisticated phishing campaigns to fool users into handing over their passwords
Hackers have developed a wide range of tools to crack passwords, and these are readily available within a couple of clicks on a search engine

Hacking methodology

In a recent exposé on LifeHacker, Internet standards expert John Pozadzides revealed multiple methods hackers use to bypass even the most secure passwords. According to John’s revelations, 20% of passwords are simple enough to guess using easily accessible information. But that doesn’t leave the remaining 80% safe.

Hackers have developed a wide range of tools to crack passwords, and these are readily available within a couple of clicks on a search engine. Brute force attacks are one of the easiest methods, but criminals also use increasingly sophisticated phishing campaigns to fool users into handing over their passwords.

Users expect organisations to protect their passwords and keep intruders out of their accounts

Once a threat actor has access to one password, they can easily gain access to multiple accounts. This is because, according to Mashable, 87% of users aged 18-30 and 81% of users aged 31+ reuse the same passwords across multiple accounts. It’s becoming clear that passwords are no longer enough to keep online accounts secure.

Securing data with simplicity

Users expect organisations to protect their passwords and keep intruders out of their accounts. As a result of a data breach, companies will of course suffer financial losses through fines and remediation costs. Beyond the immediate financial repercussions, however, the reputational damage can be seriously costly. A recent Gemalto study showed that 44% of consumers would leave their bank in the event of a security breach, and 38% would switch to a competitor offering a better service.

Simplicity is equally important, however. For example, if it’s not delivered in ecommerce, one in three customers will abandon their purchase – as a recent report by Magnetic North revealed. If a login process is confusing, staff may be tempted to help themselves access the information they need by slipping out of secure habits. They may write their passwords down, share them with other members of staff, and may be more susceptible to social engineering attacks.

So how do organisations strike the right balance? For many, Identity and Access Management solutions help to deliver secure access across the entire estate. It’s important though that these enable simplicity for the organisation, as well as users.

Identity and Access Management solutions help to deliver secure access across the entire estate
Organisations need an IAM solution that will adapt to both of these factors, providing them with the ability to apply tough access policies when and where they are needed and prioritising swift access where it’s safe to do so

Flexible IAM

While IAM is highly recommended, organisations should seek solutions that offer the flexibility to define their own balance between a seamless end-user journey and the need for a high level of identity assurance.

Organisations’ identity management requirements will change over time. So too will their IT environments. Organisations need an IAM solution that will adapt to both of these factors, providing them with the ability to apply tough access policies when and where they are needed and prioritising swift access where it’s safe to do so.

Importantly, the best solutions will be those that enable this flexibility without spending significant time and resource each time adaptations need to be made. Those that do will provide the best return on investment for organisations looking to keep intruders at bay, while enabling users to log in safely and simply.

Download PDF version

In case you missed it

Artificial intelligence: why you should enable deep learning and video analytics
Artificial intelligence: why you should enable deep learning and video analytics

Constantly optimising deep learning algorithms yields better video analytics performance, even in complex applications such as facial recognition or in scenarios with variable lighting, angles, postures, expressions, accessories, resolution, etc. Deep learning, a form of artificial intelligence (AI), holds the potential to enable video analytics to deliver on long-promised, but not often delivered performance. Our AI series continues here with part 2. Adapting existing hardware Today, low-cost system-on-chip (SoC) camera components enable deep neural network (DNN) processing for the next generation of intelligent cameras, thus expanding the availability of AI processing to a broader market. AI software can even add learning capabilities by adapting existing hardware to AI applications AI software can even add learning capabilities by adapting existing hardware to AI applications. Today’s smartphones include cameras, gyroscopes and accelerometers to provide sufficient data to drive AI applications. Software can adapt existing hardware to transform them into AI devices capable of continuous learning in the field. Inside a video camera, real-time deep learning processing can be used to detect discarded objects, issue loitering alarms and detect people or objects entering a pre-defined field. Data capture form to appear here! Detect anomalous data Additional capabilities are applicable to demanding environments and mission-critical applications, such as the perimeter protection of airports, critical infrastructures and government buildings, border patrol, ship-tracking and traffic-monitoring (e.g. wrong-way detection, traffic-counts and monitoring roadsides for parked cars: all vital video security solutions). IoT is transforming the lowly security camera from a device that simply captures images, into an intelligent sensor that plays an integral role in gathering the kind of vital business data that can be used to improve commercial operations in areas beyond security. For example, cities are transitioning into smart cities. Deep learning enables systems to search surveillance footage, to detect anomalous data, and to shift surveillance from post-incident response to providing alerts during, or even before, an event. The ability of deep learning for video analytics is much more sophisticated and accurate Make critical decisions Deep learning can eliminate previous video analytics limitations such as dependence on a scene’s background. Deep learning is also more adept than humans at discerning subtle changes in an image. The ability of deep learning for video analytics is much more sophisticated – and accurate – than the programmed approaches previously employed to identify targets. AI is a timely solution in an age when there is more video surveillance than ever. There are too many cameras and too much recorded video for security operators to keep pace with. On top of that, people have short attention spans. AI is a technology that doesn’t get bored and can analyse more video data than humans. Systems are designed to bring the most important events and insight to users’ attention, freeing them to do what they do best: make critical decisions. Multiple camera streams AI can reduce information overload to enable humans to work with the data more efficiently The video benefits reflect the larger goal of AI to amplify human skills. AI can reduce information overload to enable humans to work with the data more efficiently. Another benefit is faster search, and new systems make searching video as easy as searching the internet. AI enables specific people or cameras to be located quickly across all the cameras at a site. Searching can be directed by a reference images or by physical descriptors such as gender or clothing colour. Consider a scenario of a child missing from a crowded shopping mall: Every second can seem like hours, and artificial intelligence and neural networks can enable a rapid search among multiple camera streams using only one photo of the child. The photo does not have to be a full-frontal passport-type photos; it could be a selfie from a party as long as the face is there. Intrusion detection scenario AI can find her and match her face from among hundreds of thousands of faces captured from video, in nearly real time. AI can also continuously analyse video streams from the surveillance cameras in its network, distinguishing human faces from non-human objects such as statues and animals. Privacy concerns are minimal as there is no ID or personal information on the photo, and the image can be erased after use. And there is no database of stored images.    In a perimeter security/intrusion detection scenario, an AI-driven video system can avoid false alarms by easily distinguishing different types of people and objects, e.g., in a region set up to detect people, a car driving by, a cat walking by, or a person’s shadow will not trigger the alarm. Part three coming soon. If you missed part one, see it here.

3 key security tips for public event planners
3 key security tips for public event planners

Public spaces in cities and suburbs are important places for community development and promoting outdoor recreation. These areas may include main streets, parks, promenades, band shells and fields. Such locations are often utilised by public event planners for community activities, including summer festivals, wintertime ice skating rink installations, music concerts and art fairs. As the year draws to a close, holiday and Christmas markets as well as major New Year’s Eve events, present cities with constant public event security needs. The public nature of these events increases risks of incidents with high-speed vehicles that put attendees in danger. Fortunately, there are three ways for public space managers to prevent casualty-causing collisions and further promote the use of local public areas. Developing an effective action plan    When strategising how to react to an alert, think about what time of the year and time of day the event is occurring It is important to have a plan developed before an incident or accident occurs. Warning systems, utilising doppler radar and digital loop technologies, alert guards to abnormal vehicle velocity changes in the surrounding area. Managers of public areas should organise a meeting with public safety authorities and local agencies to discuss what must immediately occur when a high-speed vehicle is approaching a public event. When strategising how to react to an alert, think about what time of the year and time of day the event is occurring. Having such a reaction plan in place combines technology and strategic planning to ensure everyone is on the same page to effectively target a threat and promote overall event safety. Securing public areas  Ideally, there will be no need to implement a well-conceived action plan. After all, taking preventive measures to secure public areas where events take place is important to keep people safe from accidental vehicle collisions and intentional attacks. Protect attendees by clearly separating pedestrian and vehicle locations using security devices such as – Barricades Portable barriers Bollards Install guard booths  Avoid the risk of vandalism and theft, making sure people are safe when walking back to the cars at night by keeping parking areas illuminated with flood lights. Install guard booths with employees who monitor activity in the parking area and who are prepared to react if an alert is triggered. Furthermore, prevent accidental collisions by clearly marking the parking area with informative warning signs and using barricades to direct traffic. These three tips can be used by public area managers to promote security at the next community event. Additionally, the technologies used to secure an event can also be used as infrastructure for year-round security. Installing gates that shut when the public space is closed or using aesthetically pleasing bollards are steps any public area manager can take to promote community safety.

Choosing your security entrance installation in line with your company culture
Choosing your security entrance installation in line with your company culture

The extensive analysis and discussion preceding any decision to implement a new physical security solution – whether it’s hardware, software or a combination of both – often focuses on technology, ROI and effectiveness. When it comes to deciding what type of security entrances to install at your facility, you will almost certainly also consider the aesthetics of the product, along with throughput and, if you’re smart, you’ll also look into service concerns. Each of these factors has its important place within the evaluation process, and none should be overlooked as they all have a significant effect on how well your entrances will perform once they are installed. Culture influences door solution decisions How significant will the change from current entrances to security entrances be for employees? Still, one additional factor actually trumps everything: if you have not considered your organisation’s culture in choosing a security entrance, you may be missing the most important piece of the puzzle. Culture is a part of every other decision factor when selecting an entry solution. Before you make a decision about what type of entrance to deploy, you need to consider and understand the values, environment and personality of your organisation and personnel. For example, how significant will the change from current entrances to security entrances be for employees? If people are accustomed to simply walking through a standard swinging door with no access control, this will be a culture change. Beyond this, whether you are considering a type of turnstile, a security revolving door or possibly a mantrap portal, simply walking through it will be a significant change as well. Training employees on door security You’ll want to know whether employees have ever used security entrances before. If these types of entrances are in place in another part of the facility, or in a facility they’ve worked in at an earlier time, the adjustment will not be as great as if they’ve never used them at all. Consider, too, how your personnel typically react to changes like this in the organisation or at your facility. They may be quite adaptable, in which case there will be less work to do in advance to prepare them. However, the opposite may also be true, which will require you to take meaningful steps in order to achieve buy-in and train employees to properly use the new entrances. With the increased importance of workplace security, discussing new entrances with  workforces will help maintain a safer environment Communicate through the decision-making process All of this will need to be communicated to your staff, of course. There are a number of ways to disseminate information without it appearing to come down as a dictate. Your personnel are a community, so news about changes should be shared rather than simply decreed. As part of this process, you’ll need to give some thought to the level of involvement you want for your staff in the decision-making process. Finally, do not overlook the special needs among your personnel population. You undoubtedly have older individuals on staff, as well as disabled persons and others who bring service animals to the office. Entrances need to be accessible to all, and you never want to be in the position of having a gap in accessibility pointed out to you by the individual who has been adversely affected. New security entrance installation By communicating early and often with your personnel, you can alleviate a great deal of the anxiety Once you have made the decision about which security entrances to install, training your personnel on how to use the new security entrances – both before and after the installation – will help to smooth the transition. Because workplace security is such a big issue right now, it makes sense to discuss the new entrances in the context of helping to maintain a safer environment. They will prevent violent individuals from entering, decrease theft, and most of all, promote greater peace of mind during the workday. If you can help them take control of their own safety in a responsible way, you have achieved much more than just a compliant workforce. By communicating early and often with your personnel, you can alleviate a great deal of the anxiety and concern that surrounds a significant change in the work environment. Schedule group meetings Consider your employees; what type of communications do they respond best to? A few suggestions to educate staff on the benefits of the new entrances include: Typically, you would communicate a general message 2-3 months in advance and then provide more specific information (for example, impacts to fire egress, using certain entrances during construction) in a follow up message closer to the installation date. Schedule group meetings to: announce the rationale for increased security, share statistics on crime, review the new security changes that are coming, show drawings/photos of the new doors/turnstiles, and show the orientation videos available from the manufacturer. These meetings are an excellent way to work through user questions and directly address any concerns. Once the installation of a new security system is complete, it is a good idea to have an "ambassador" on board to help employees use these new systems Ensure you monitor public areas If you are implementing a lot of new changes, such as a new access control system, new guard service and security entrances, you might consider hosting a ‘security fair’ on a given day and have the selected vendors come for a day with tabletop displays to meet employees and answer questions during their lunch. This could be a great way to break the ice in a large organisation. Make user orientation videos (provided by the manufacturer) available in several ways, for example: Intranet Site Monitors in public areas—lounges, cafeteria, hallways, etc. Send to all staff as email attachments Immediately after installation, once the doors or turnstiles are operational but before they are put into service, train ‘ambassadors’ on how to use the door/turnstile. Have these people monitor and assist employees during peak traffic times. What is the ultimate success of the installation? By communicating clearly and openly with your population you can greatly facilitate adoption and satisfaction If you have thousands of employees, consider dividing them into groups and introduce the new entrance to one group at a time (Group A on Monday, Group B on Tuesday, etc.) to allow a little extra orientation time. Place user education ‘quick steps’ posters next to the door/turnstiles for a few weeks to help employees remember the basic steps and guidelines, e.g., ‘stand in front of the turnstile, swipe badge, wait for green light, proceed.’ Ask your manufacturer to provide these or artwork. While there are always going to be people who are resistant to change, by communicating clearly and openly with your population you can greatly facilitate adoption and satisfaction. Your responsiveness to any issues and complaints that arise during and after the implementation is equally fundamental to the ultimate success of the installation.