3 strategies for more secure credentials

  • Nothing will prevent all cyberattacks, but taking steps to improve user authentication can help stave off some threats.

  • Contextual security can require authentication at network, device, and user levels.

  • The level of security on each app should be based on type of data, locations, and devices.

Despite IT’s best efforts, the number of cyberattacks continues to rise. Consider these statistics:

  • In 2015, 38 percent more security incidents were detected than in 2014, according to Global State of Information Security Survey 2016 from professional services firm PwC.
  • In 2014, AT&T experts saw a 63 percent year-over-year growth in the number of times hackers scanned systems for cybersecurity vulnerabilities.
  • Almost half of organizations suffered at least one security incident in 2014, according to Experian’s 2015 Second Annual Data Breach Industry Forecast.

Equally troubling is that the average consolidated total cost of a data breach is $3.8 million—a 23 percent increase since 2013, as documented in IBM’s 2015 Cost of Data Breach Study.

While no single solution can prevent all cyberattacks, some could be eliminated by better protecting passwords and requiring stronger user credentials. There are some simple ways to help eliminate password cracking, phishing, and screen scraping. But there also are more sophisticated approaches that can help safeguard credentials. They include:

Move to confidence-based security (also called contextual security). It’s a combination of trusted network, device, and user. Accessing data and apps protected by contextual security requires a number of identifying elements to provide a higher level of confidence that users are who they say they are. For users, it could be a combination of “something you know,” such as a personal identification number; “something you have,” including a mobile phone; and “something you are,” such as a fingerprint. IT also can add other contextual elements, like the IP address requesting access, the application being requested, and details of the transaction.

Review and update mutlifactor authentication strategies. Windows 10 and new PCs offer a wide range of authentication methods, including personal identification numbers (PINs), biometrics, keys, tokens, and certificates that can be encrypted, matched, and stored in the hardware. If the PC is on a corporate network, perhaps the username and password are all that is needed to sign on. You could implement a policy that having a registered smartphone or wearable near the PC and entering a PIN or passcode is sufficient to log into the device. However, if the user is accessing data from outside the country or the transaction is sensitive, perhaps stronger authentication, such as a one-time PIN, voice recognition, a fingerprint—or a combination of methods—is required.

Reevaluate how the company classifies data risk for applications and roles. Determine how much security is required based on the type of data that is being accessed and where users are accessing this data. It’s too onerous to classify every document for security risk, but it’s feasible to classify certain apps and roles as requiring higher security clearances. The level of security should be based on three things: type of data, locations, and devices. For example, email access for most employees may not require the same level of security as human resources data and product schematics.

Of course, not all cyberthreats are password related. Telecom providers like AT&T offer network security services that can help you understand where the threats to your company originate and work with you to formulate a business strategy for today’s fast-evolving security environment.

These are just a few of the security approaches that you should consider this year. What methods does your cybersecurity plan currently include? Let us know in the comments section below.

Maribel Lopez is the CEO and mobile market strategist for Lopez Research, a market research and strategy consulting firm that specializes in communications technologies with a heavy emphasis on the disruptive nature of mobile technologies. All opinions are her own. AT&T has sponsored this blog post.

Maribel Lopez CEO Lopez Research About Maribel