Intelligent CIO Africa Issue 39 | Page 27

+ EDITOR’S QUESTION RICHARD MEEUS, SECURITY TECHNOLOGY AND STRATEGY DIRECTOR, EMEA AT AKAMAI /////////////////// F undamentally, passwords suck. They have been a thorn in the side of IT professionals for decades, from when 40% of a helpdesk’s time was spent helping users change their passwords, to poor advice in asking users to update their password every 90 days, and make it really complex – every single time. The fact that passwords are so ubiquitous and seen as the default mechanism for user authentication means they are often used without considering the wider picture. This is evident in our public health service, where a myriad of systems with different accounts creates significant delays when staff need to login. Single Sign On (SSO), a technology that’s been around for many years, is being used to try and address this delay. But, if it still revolves around a username and password, then staff are still tasked with remembering a complex password. The NHS (in the UK) is looking to adopt Multi-Factor Authentication (MFA) – a process that’s more secure as it only grants a user access once they present two or more pieces of evidence. Users can prove their identity by passing a combination of verification stages, providing something they know, something they have, or something they are. As a result, we’re now able to take this to the stage where a password is no longer necessary – users could sign-on with something they ‘have’, such as a hardware token, and something they ‘are’, using their fingerprint. We have adopted this internally here at Akamai and we use a combination of push authentication to mobile devices, along with certificates on company laptops to provide a password-less experience. Moving away from passwords, or at least complementing them with another factor of authentication, is important considering www.intelligentcio.com the volume of data breaches we witness on a daily basis. As users, we’re fundamentally lazy and will often reuse passwords across many sites. Witness the recent ‘attacks’ on two high street retailers, where stolen usernames and passwords from previous breaches were used to perform an Account Takeover (ATO), where the criminals seek to monetise whatever is within the account – normally in the form of cashing out on vouchers or gift cards. The fact they were both high street retailers with significant online business adds interest from an attacker’s perspective. Normally a ‘credential stuffer’, somebody who takes these breached usernames and passwords and tries to find ones that work on a new site, can expect a 1–2% hit rate. If these cybercriminals target the same verticals, the hit rate can be significantly higher. If one were to do a Venn diagram of the users at both stores, there would be a high probability of significant overlap – ensuring the attackers get more bang for their buck. For businesses, reducing passwords, implementing SSO and adding MFA is an important step. However, if that can’t be done, due to lower IT management budgets or the operational nature of the business, then password managers are essential to ensure good, random, unique passwords are utilised. INTELLIGENTCIO 27