Tackling the authentication challenge
With digital transformation comes the responsibility to secure data and safeguard access through effective authentication practices, says Yubico's John Gilbert
For most organisations, digital transformation is a long-term strategy with plans delivered in phases. Over time, routine, repetitive tasks are automated and manual processes are digitised with a targeted end-result of cost savings, maximised efficiencies, and increased business insight. Then, 2020 happened. The events of this year shifted priorities onto business continuity, so that companies could navigate workplace disruption and economic fragility. When the time comes, businesses will assess their 2020 success through the lens of how well-equipped they were to support remote working and serve customers through digital channels. It’s likely they’ll find areas for improvement, particularly around cybersecurity. While remote working has been on the rise in recent years, a relatively small percentage of the UK population worked predominantly from home prior to COVID-19 – around 5% in 2019. Now, companies are supporting home working at scale and indications are that some of these changed habits will stick, long after workers return. One survey commissioned by YouGov and carried out by Skillcast found that more than two-thirds - 68% - of new home workers would like to carry on working remotely. Employer research revealed an expectation that double the number who worked from home before the pandemic will do so in the future. Businesses will need to scale-up their use of technology to support a larger base of home workers. What’s more, the transition they made to digital methods of working this year may encourage them to accelerate the transformation plans they had to serve customers through digital channels. Both scenarios place demands on authentication practices. Identifying security risks Digital transformation brings new ways of working, the adoption of new infrastructures and applications, and the deployment of new services. With this, comes the responsibility to secure data and safeguard access through effective authentication practices.
John Gilbert, General Manager UK&I, Yubico
As rising numbers of employees and stakeholders - including third-party partners and vendors - come to depend on digital tools, the control over who accesses them and when, will naturally diminish. In turn, this is exacerbated by the increased home working population. Employees are now accessing corporate applications and company data from previously unknown WiFi networks, and from personal computers and mobile devices. This broadens the attack surface for potential hackers at a time when employees may have reduced access to IT support. This unfortunate combination of factors leads to an inevitable increase in security risks. Securing remote working and ensuring all stakeholders can interact with the business in a safe and trusted way has to be a high priority for enterprises. Security must be rigorously reviewed as part of business continuity assessments post-lockdown and should be baked-in to ongoing digital transformation plans. Strong authentication to secure assets and protect data A good starting point is to challenge organisational practices around passwords. Despite inherent weaknesses, they still form the backbone of digital security. Nearly every service and application requires a username and password to log in, as a baseline. Unfortunately, people still tend to rely on a limited number of passwords and don’t necessarily protect them in the way they should. Recent Ponemon Institute research in the UK revealed that more than a third (39%) of surveyed employees re-use passwords across workplace accounts and over half (51%) sometimes or frequently share passwords with colleagues. Not surprisingly, Gartner predicted last year that 60% of large and global enterprises, and 90% midsize companies, would implement passwordless methods in more than half of use cases by 2022. Now, given the sudden shift to remote working this year, there is the real possibility of an acceleration of passwordless authentication. Regardless, enterprises can no longer afford to eschew the responsibility of implementing strong authentication, and doing so for the entire organisation. Without the luxury of a company firewall and network monitoring for remote workers, plus an influx of sophisticated phishing scams and man-in-the-middle attacks, it’s critical to bolster user verifications when and where possible. Bringing employees on board There are additional considerations to weigh up, of course. While authentication practices need to be absolutely secure, they must also be user-friendly. Nearly a quarter (23%) of employees surveyed by Ponemon Institute believe SMS/mobile authentication app 2FA (two factor authentication) methods are very inconvenient, while 56% say they will only adopt new technologies that are easy to use and significantly improve account security. Inevitably, employees will find workarounds if they’re asked to follow security protocols that they don’t understand or that slows them down. For this reason, chosen authentication practices must bring employees on board by being simple to set up and use. As organisations contemplate higher numbers of people working outside the office this becomes even more important, as does the ability to roll out new solutions remotely and across a wide geographic area. As organisations grapple with their future digital transformation plans and take steps to shore up security with decentralised workforces, strong authentication must sit at the heart of secure access. Enterprises must evaluate authentication options that secure assets, protect company and customer data, and enable the smooth continuation of business, while mitigating the reputational risk of a breach or data loss.