In case you missed it (and how could you really), Yahoo fell victim to a massive hacking attack back in 2014. Well, it’s 2016, so why is this news? Yahoo announced the breach last week and apparently the incident may have affected up to 500 million user accounts.
While organizations need to do a much better job in reporting such breaches (and maybe the federal government should play a role in ensuring breaches are reported in a transparent way to their customers); the fact of the matter is Yahoo is one of many large organizations who have fallen victim to such security breaches. (Take a look for yourself.)
While numerous threat vectors exist inside and outside of your organization, you must be prepared regardless of where they come from. According to IBM’s 2016 Cyber Security Intelligence Index, 60 percent of all attacks were executed by insiders — which is a staggering number. Of these attacks, 75 percent were malicious in nature while the remaining 25 percent had no malicious intent. Malicious or not, organizations can’t afford that risk, especially organizations that work in highly regulated industries including financial services, healthcare, life sciences and legal. If you work in the healthcare or financial services, you must be extra vigilant because the IBM report found that those two industries are among the top three industries under attack simply because they handle so much sensitive data.
Passwords are another major threat vector. According to the 2016 Verizon Data Breach Incident Report of 64,000 incidents, the number one cause of data breaches involved weak, default, or stolen passwords, and over 95 percent of web application incidents involve stolen credentials.
So, what is a business – large or small – to do? Who can you trust? How do you enforce better password protection?
Enter a relatively new concept called Universal Identity (ID). Essentially, Universal ID allows organizations to safely verify identities before that person accesses your network, systems and applications. Universal ID acts as the truth for organizations that are concerned about malicious actors inside and outside of organizations’ walls; and because Universal ID adheres to strict government and industry standards, like FISMA and HIPAA, the solution is ideal for highly regulated industries.
As the adoption of mobility and cloud continue to accelerate, organizations will find it increasingly difficult to protect their borders, so we expect to see Universal ID play a major role in securing organizations’ mobile workers, devices, and connected machines.
Universal ID also effectively safeguards one of the most vulnerable and frequently exploited elements of traditional authentication: the password. For some of you, this is the 6-8-character code that may look like “abc123” or “Password.”
Realizing that traditional enterprise mobile solutions, like MDM and EMM, don’t meet the stringent security requirements that highly regulated industries need right now, my company Synchronoss developed a cloud-based identity access solution called Synchronoss Universal ID™, which is a core part of our larger enterprise mobility solution. Our solution is based on multi-factor authentication that enables organizations to reduce the risk of identity fraud and enable secure e-business while creating a flexible, user-friendly experience involving user options that encourage compliance.
The Verizon study found that of the 5,000-plus largest successful attacks in the last 10 years, 82% exploited weak or stolen passwords and only two involved two-factor authentication.
Synchronoss eliminates the complexity of identity proofing and authentication by providing convenient multifactor authentication and identity proofing. For example, users can select which devices and methods they want to use for a second factor—mobile app, text, email, IVR or soft token. Then users can combine something they know with something they have, like a QR code login to eliminate usernames and passwords.
What I have learned after many years observing the IT world is: People make mistakes and single sign-on passwords alone don’t make for sound security. Use multi-factor authentication. We shouldn’t make it so easy for the bad guys.