While the sheer number of credentials exposed in these leaks are astounding, it’s not surprising, as it only added to the billion plus passwords we already knew were floating around on the dark web. Below Andrew Shikiar, chief marketing officer of the FIDO Alliance, explains why the classic password is on the down.

What is surprising is the continued reliance of traditional username/password authentication, despite knowing it is easily breached and susceptible for compromise via credential stuffing attacks.

The problem of authentication has indeed risen to the forefront in recent years as a vast majority of publicised high-profile data breaches have been traced back to weak and shared credentials; usually a username and password combination stored in easily exposed, central databases that hackers can easily infiltrate. Even among IT professionals, who should lead the way when it comes to secure authentication, 69 percent share passwords with colleagues, and over half reuse an average of five passwords across business and personal accounts, according to a recent survey. With nearly 50% of shopping cart abandonment being due to password issues (per a Visa study) and a large proportion of costly IT support calls within enterprises related to passwords, weak authentication is also becoming an economic burden for many businesses.

The good news is that the tide is turning. Rather than encouraging users to change all of their online passwords – which more often than not results in easy-to-remember passwords being recycled across different accounts – website and app developers can now look to new web standards from FIDO Alliance and W3C for strong authentication that will enhance security while improving the user experience.  As service providers start to turn on these capabilities, we’ll begin to see an accelerating shift away from passwords – which in time will consign credential leaks such as Collection #1-5 to history.

Mobile devices, PCs and web browsers are now shipping with the capabilities for strong authentication – combining cryptographic protection of user authentication credentials, which can’t be phished and in fact needn’t ever leave the user’s device, with a low-friction user. By building applications and websites that support new web standards for strong cryptographic authentication, developers can now leverage these authentication mechanisms that are literally already in their users’ hands — from fingerprint, iris, face or voice recognition in PCs and mobile devices to portable hardware security keys — to improve security for their businesses and their users.

As 2019 progresses we are surely going to see biometrics and other embedded authentication sources continue to contribute to an enhanced customer experience. The new version of 3D Secure, for example, will be optimised for mobile devices and enable the implementation of secure biometric user verification. Biometrics are likely to impact the financial services industry as well, given their potential to enhance organisational and consumer demand for transaction convenience, while ensuring compliance with regulations such as the Second Payment Services Directive (PSD2)

While this development is welcomed, the industry needs to continue to commit to creating and implementing technical standards and established best practices, which can also inform emerging government regulation around this technology. Organisations may not be able to eliminate all passwords immediately, but 2019 should be the year that dependency on them begins to decline, as companies look to improve processes and aim to eliminate the burden of managing them -- setting the stage for broader enablement of password-free online experiences as we head into the next decade.

Despite two thirds¹ (66%) of small businesses having been a victim of cybercrime, one in four owners (27%) admitted they aren’t up to date on the cyber security measures that could defend them against digital attacks in a recent survey by A&O IT One Solution.

To help SMEs ensure their lack of dedicated IT department doesn’t make them a soft target, the worldwide IT support and technology services specialist has prepared a check list to keep their company cyber safe. These include:

1. Review the data that your business holds to recognise which assets need additional protection, which employees or third parties can access it and identify whether data is adequately backed up. Consider encrypting any sensitive data or reducing network access to certain users, particularly when working remotely or using personal devices for work.
2. Stay secure through regular IT upgrades and anti-malware software updates. A&O IT’s recent research indicated that a third (35%) of SME owners aren’t kept up to date with the latest IT regulations that could leave them vulnerable to hacking.
3. Train staff to understand the risks and their responsibilities to keeping the company secure. With a third (32.7%) of employees regularly accessing social media sites such as Facebook while at work and only half of SMEs (49.2%) providing their team with internet and computer usage guidelines, education is key to limiting external threats.
4. Check you have the right level of technical support in place for your business needs. Whilst 61.9% of responders admitted life would be easier if an IT engineer was located nearby or on site, it isn’t always possible for SMEs to employ a dedicated IT expert. Outsourcing to experts is a practical solution, ensuring the right controls are in place and a trusted expert is always available to resolve any issues.
5. Run regular checks to test the effectiveness of your procedures against cyber security and manage any changes in risk levels to your organisation. Specialists such as A&O IT can help customers review their systems to ensure they’re always prepared against the ever-evolving cyber risks.
6. Have a plan in place so everyday business can continue even if attacked. Where websites are designed to take payment, this might include having alternative procedures in place so that transactions can continue to be taken.
7. Make sure ALL your staff are issued with written internet usage guidelines and ensure they acknowledge they have received and understood its’ contents.

Rod Moore, chairman of A&O IT One Solution, said: “The reality is that the innovations that have increased efficiencies across SMEs are the same ones that are making businesses vulnerable to commercial risks.

“As cybercrime continues to rise and small businesses emerge as the most hacked sector it’s vital that companies act now to protect themselves against attacks that could have a devastating impact on their bottom line.”

(Source: A&O IT One Solution)

Below, Dave Polton, Director of Innovation at NTT Security, writes about the recent Cyber Week conference in Israel between June 25th and 29th.

Cyber Week Israel 2017 concluded with the main theme touting that 2017 is the year of the state sponsored attack. But what does this mean for the future of cybersecurity? This seemed to be split into three main themes that most, if not all, of the presenters touched upon:

United Cybersecurity – a premise that the only way we, as cyber defenders, are ever going to stand a chance at protecting our assets, is to join forces against our adversaries. The idea is that partnerships needs to be drawn not just within each industry vertical but across the entire industry with both public and private organisations.

Whilst this is not a new idea, the cyber week presenters challenged the industry to build solutions to overcome the objections many have to these partnerships. Just what we will see in this area is yet to be seen, but perhaps we will see some innovation in this space in the not too distant future.

A particular focus was given to the unification of government and industry where critical infrastructure was concerned which led to the second main theme.

IoT / OT / ICS – depending on where you get your statistics, the projected number of connected devices is expected to roughly be 50 billion. However, as we try to understand just how huge the problem may be, my main frustration is how the industry seems to keep interchanging the acronyms IoT, ICS and OT as though they all mean the same thing. I will try to simplify my view. An IoT is something that’s primary function does not require an internet connection.  An OT requires a network connection in order to deliver its primary function. Arguably there are some grey areas but loosely this definition works.

Whilst we are starting to see some new innovative technologies to help protect OT, the messaging from an IoT perspective, is that IoT requires security by design, not an aftermarket technology solution. Just how much an organisation will invest in security by design will of course depend on the potential impact of a compromise. For example, one would hope that in the case of the autonomous cars the investment be high.

Cognitive Computing – a number of presenters referenced machine based learning, artificial intelligence, orchestration, automation and expert systems. I have grouped them under the term ‘cognitive computing’. Irrespective of the term that was used, the message was clear. In order to bridge the skills gap within the cybersecurity industry we need to leverage cognitive computing. I have blogged about this previously here.