It’s a question that haunts so many cybersecurity professionals across enterprises of all sizes when deploying an Identity Management solution: do you emphasize security or convenience?
This question may appear simple on the surface. After all, shouldn’t security always come first when it comes to Identity Management? If enterprise credentials fall into the wrong hands, then your data may end up for sale on the black market or broadcasted for the all the world to see. The financial and legal headaches from the resulting fines, consultations, and reputation damage in the wake of a data breach is enough to make cybersecurity professionals and executive alike wary of making anything easier for hackers.
Credentials are already a lucrative target for the digital criminal:
81% of confirmed data breaches in 2017 were due to weak, reused, or stolen passwords, according to a study by LastPass.
63% of confirmed data breaches involved weak stolen or default passwords, according to a separate study by Verizon.
19% (nearly ⅕) of enterprise professionals use poor quality passwords or shared passwords, according to a study by Preempt.
Adding onto these appropriate fears is that the idea that making an identity management solution too convenient plays into the hands of rogue or ex-employees with ill intent. The latest statistics justify those fears:
60% of all attacks conducted by insiders, according to IBM.
75% of these attacks were conducted with malicious intent, according to those same findings.
Furthermore, any retailer or enterprise with a customer-facing aspect also need to consider their enterprise’s identity management solution as part of their efforts to secure public trust. In addition to quality products and services, security is an increasing customer demand:
67% of consumers are concerned about their online identities while shopping or banking, according to a survey by BetaNews.
51% of consumers in that same survey said that news of data breaches changed the way they conducted their business online.
50% would be okay with providing even more authentication factors when verifying their identities online, according to Crossmatch.
It seems so straightforward, but very little is in identity management or in cybersecurity as a whole is so simple. The problem is that users even in the most prestigious enterprises will pick the most convenient option, even if it compromises the security of their credentials and their business. Perhaps this is not surprising; humans gravitate to a state of maximum efficiency naturally, and corporate culture does reward speed. Combined with password fatigue, perhaps the results are not so surprising:
36 minutes—the time per month the average employee types in their credentials, according to LastPass.
154 times a month—the number of times an employee must type in their credentials, according to the same findings.
39% of users find it challenging to keep up with all the passwords for all their online accounts according to Pew Research.
20% to 30% of help desk tickets concern lost or forgotten passwords, according to Gartner.
91%—the percentage of users who know the dangers of reused passwords, according to Pew Research.
61%—the number of users who do so anyway, also according to Pew.
A takeaway from all these findings is that even with the most comprehensive identity management solution, your employees and third-party users may still constitute the weakest link in your security. Not necessarily from malice either, but from human laziness.
The implied ideal is a solution that balances security and convenience. Part of the recent buzz around biometrics as a replacement for passwords stems from the solution being seen as the bridge between the two values.
According to a Keeper Security survey, 66% of respondents believe biometrics are a strong tool that are both secure and convenient. 38.9% of respondents think biometrics are more secure than passwords. 70% of respondents find biometrics easier than passwords, according to a Visa survey.
The problem is that biometrics may not be as secure as the public perception of them has leads many to believe. After all, if biometric data is compromised users can’t simply change them for the future:
46% of respondents felt biometrics are more secure than passwords or PINS, according to AYTM Market Research.
1.2 billion people—the number of people left vulnerable in a hack on India’s Aadhaar biometric database.
The lesson from all this is that, if you are considering an identity management, privileged access management, or biometric solution, you need to weigh the security benefits with how easy it will be for your employees to adapt to the solution. Training them in the solution’s policies and nuances will be as necessary as selecting the solution in the first place. Additionally, it is essential to evaluate your employees’ security practices and enforce password best practices across your enterprise.
The alternative may be letting your employees relax themselves into a data breach.