passwords

Passwords are Dead: Why Zero Trust is the Future of Corporate Data Security

In Security by Simon DaviesLeave a Comment

passwords

Any modern business owner understands how important it is to keep corporate data safe. Securing confidential and intellectual property not only ensures a company comply with legal guidelines regarding data protection, but also maintains trust between them and its clients. However, businesses relying on password protection may unwittingly be putting sensitive information at risk.

Cyber attacks are growing increasingly prevalent and traditional password-based authentication is no longer effective enough at shielding corporate data from hackers. 44 percent of users don’t use complex passwords including a mix of upper and lower case letters, numbers, and special characters, making a hacker’s job an easy one. But even complex passwords are vulnerable. For example, criminals could deploy brute-force attacks, which use automated software to generate a large number of consecutive passwords with the hope of eventually accessing an account. Standard computer hardware can make approximately 100,000 guesses per second.

With this protective mechanism failing to provide robust enough protection, it’s never been more important for businesses to overhaul their dated security systems in line with the growing threat.

How Serious is the Threat to Corporate Data?

A 2018 study from Juniper Research has estimated that cybercriminals will steal 33 billion records in 2023, pinpointing the US as a particularly vulnerable target. The organization predicted that over half of all global data breaches will occur in America by 2023. And, according to the Ponemon Institute’s 2018 Cost of a Data Breach 2018 study for IBM, cybercrime is proving extremely costly to companies worldwide, who have to pay an average of $3.86 million per data breach.

In 2018, over five billion records were exposed via data breaches. Corporations as huge as Facebook and British Airways were unable to keep their information safe from cybercriminals. And the growing threat is set to be shockingly expensive, with experts predicting that cybercrime will amount to global costs of $6 trillion by 2021. This is more profitable than the trade of all combined major illegal drugs in the world.

Why can we not Rely Solely on Password Protection?

A report from market and intelligence firm Cybersecurity Ventures estimated that Fortune 500 employees—staff working for the largest US corporations by revenue—could be responsible for an average of 90 passwords each, both business and personal, by 2020. They warned that this could lead to “security fatigue” resulting in risky practices, such as using the same passwords across multiple accounts. Though users are encouraged to regularly update their passwords, the 2018 Varonis Global Data Risk Report revealed that almost half of companies employ over 1,000 users with passwords that never expire.

Mobile devices are most at risk of being compromised. Their relatively recent proliferation in the corporate world means there are few meaningful security measures in place compared to longstanding devices, such as desktop computers and laptops. This is why the Verizon Mobile Security Index 2019 has highlighted mobile phones as the most vulnerable source, with 86 percent of enterprises claiming that mobile threats are growing faster than any other.

Hackers will most commonly gain access to a business network by using malware to harvest log-in information from a mobile phone, or through intelligent phishing techniques where users are duped into sending confidential information. A Centrify survey revealed that 74 percent of breaches involved using privileged access credentials. And given that only 48 percent of the organizations surveyed used a password vault, which stores complex passwords in an encrypted database and generates new ones on demand, cybercriminals can steal passwords and access sensitive corporate data with ease.

How Does Multi-factor Authentication Secure Data?

Multi-factor authentication (MFA) protects data by requiring more than two means of authentication in order to verify a user’s identity and allow them to access the relevant information. Worryingly, a huge 63 percent of employees refuse to commit to this crucial system, and one in five companies admit their IT leaders don’t know exactly who has access to certain corporate data.

MFA is a key part of the Zero Trust model, a security strategy many companies are looking to adopt. Rather than just rudimentary password-based authentication, which fails to accurately verify a user’s identity, MFA offers a more robust approach. Employees want to be able to access corporate resources from anywhere and on any device, so with the corporate perimeter essentially dead, we can no longer rely on implicit assumptions like location to guide access; MFA does this by giving us greater certainty when determining the identity of someone (or something) requesting access.

It’s not easy to implement a Zero Trust model, as it requires rigorous planning as well as analysis of current security practices to identify where the biggest threats lie. An example of a Zero Trust strategy currently being followed includes Google’s BeyondCorp approach, which enables employees to work anywhere safely without using a VPN. As does the World Wide Web Consortium’s WebAuthN, requiring users to verify their identities using biometric information or security keys instead of passwords.

There is no one surefire way to guarantee total protection from all cybercriminals, but the statistics show that relying on dated password models simply does not go far enough. A holistic approach in line with the Zero Trust model ensures that companies take no chances over who could access such information, and is by far the best way to keep corporate data out of the wrong hands.

Simon Davies

Simon Davies is a London-based freelance writer with an interest in startup culture, issues, and solutions. He works explores new markets and disruptive technologies and communicates those recent developments to a wide, public audience. Simon is also a contributor at socialbarrel.com, socialnomics.net, and tech.co. Follow Simon @simontheodavies on Twitter.