The most popular password in 2020 was exposed almost 24 million times and took less than a second to crack. While a shocking statistic, when you learn that the most popular password of 2020 was “123456,” this news becomes somewhat less surprising.
This data perfectly encapsulates the flaws inherent in passwords and why it is easy to predict that it won’t be too long until passwords are phased out altogether. Indeed, cyber insurers might provide an impetus in this direction as they increasingly insist on controlling exposure from lax protocols, systems and passwords, using the latest technological innovations.
Passwords are the Achilles heel of many firms’ cybersecurity defenses, with 80 percent of cyber breaches being the direct result of stolen or hacked passwords (according to the 2017 Verizon Data Breach Investigations Report).
Even in instances where passwords are strong and not easily guessed, they still pose a significant vulnerability, all thanks to the heightened phishing attempts now present online. The rise of the dark web has also created a second-hand market for the large tranches of passwords that are successfully hacked or phished, in which they’re sold to the highest bidder along with corresponding emails.
Once previously the reserve of computer geniuses, the crime of phishing has been democratized in recent years, thanks to the proliferation of “off the shelf” phishing systems that can be purchased by amateur hackers on the dark web. As a result, pretty much anyone with criminal intent can become a phisher, meaning the phishing threat is ubiquitous in day-to-day life. A seemingly harmless request to re-enter a password could therefore result in a breach that enables a bad actor to infiltrate your firm’s network.
For a while now, there have been various methods to increase the security of passwords. The most common of these is two-factor authentication (2FA). Instead of just proving knowledge (the password), the user has to confirm possession of something such as a security token or a specific cellphone. While 2FA is significantly more secure than using passwords alone, there are still weaknesses that can be exploited with these systems.
The Rise of Biometrics
Thankfully, the rise in phishing has been accompanied by significant innovations in technology and security, with the utilization of biometric data being one of these innovations.
The introduction of biometric technology has been slow and steady, so much so that most people don’t recognize the extent to which they’re deploying this data daily. Unlocking our phones, paying for groceries, speaking to our bank or entering the country—these are just a few examples of the day-to-day tasks that are permitted through biometrics. App developers for mobile devices are even incorporating biometrics into their apps to enable users to bypass the password altogether when accessing online accounts.
The phasing away from passwords to biometric data represents a shift away from “something you have” mode of security to “something you are,” and this shift is welcome. Thanks to biology, our biometric data is near impossible to phish, guess or hack. While biometrics aren’t infallible, attempts to hack biometrics are largely only attempted by some of the more sophisticated criminals, meaning the prevalence of this threat is minimal when compared to the threat facing our passwords.
Cybersecurity Restored as Key Priority
The pandemic has seen a significant uptick in cyber attacks over the past 12 months. Cyber criminals have been merciless in exploiting the pandemic for their gain. The work from home set-up saw billions switch to remote working overnight, and many companies are still playing catchup, looking to implement remote cybersecurity defenses comparable to those they had in their offices.
On a behavioral level, the pandemic has also seen attention diverted elsewhere, with criminals capitalizing on the fact that many leaders remain in fire-fighting mode, attempting to respond to the immediate aftershocks of the pandemic, leaving their cybersecurity defenses untended to and exposed.
As business leaders adapt to the new reality they find themselves in, many are choosing to put cybersecurity back up on their list of priorities, with biometric data one means of defense they’re willing to explore. Forrester Research predicts that in 2021 60 percent of global security decision-makers are planning to implement or expand their use of fingerprint, facial or voice biometrics.
Biometric security doesn’t need to replicate the plot line of a sci-fi film; it can be simple and easy to implement. Indeed, the more simply and seamlessly employees are able to interact with biometric systems, the more eager they will be to engage with these systems going forward.
Upgrading work cellphones to those that require touch or face ID is perhaps the easiest way to start to shore up one of the most breachable devices used by corporates. An additional benefit is that it obviates the need to collect biometric data in a centralized location, with the biometric information being stored exclusively on the user’s phone, which then simply provides a yes/no response when asked to verify that users are who they claim to be.
A Catch-22?
Naturally, the integration of biometric data may cause privacy concerns among employees, sparking worries employers are amassing personal data that encroaches on their civil liberties.
Furthermore, while the use of biometric data might help to bolster cybersecurity defenses, it can open up other risks that businesses should be mindful of. The collection and usage of data can spark increased interest from cyber criminals by offering a treasure trove of data that could be exploited, resulting in what is potentially a catch-22 situation. After all, despite their flaws, passwords can be reset; fingerprints can’t. Additionally, several states have privacy laws specifically related to the collection and use of biometric data which must be taken into consideration before any are collected.
For businesses looking to integrate biometric data into their security processes, it should be undertaken with these considerations in mind. Data needs to be stored safely and securely and be managed strictly in line with the appropriate processes to ensure it doesn’t contravene data regulations now in place.
To ease employees’ concerns, it’s also important that the processes in place to securely store and manage this data are communicated clearly and transparently.
Increased Insurer Scrutiny
With cyber risk heightening and the cyber insurance market hardening, businesses are set to face increased scrutiny from underwriters on the robustness of their cybersecurity and their exposure to risks. Underwriters are looking at insureds’ security protocols and measures in increasing detail. Even in the space of a year, we have seen the level of consideration applied to firms’ cybersecurity increase considerably, with insurers making more and more specific IT security improvements a requirement before coverage can be bound.
Businesses are increasingly being offered less favorable terms or no cover at all if their protocols and systems are seen to be too lax. An overreliance on basic passwords could be one such flaw that limits businesses’ options when it comes to coverage. However, deployment of biometrics could be the solution.
While underwriters recognize biometrics and their role in shoring up cyber defenses, a number of carriers are now requesting additional underwriting information surrounding insureds’ biometric data collection. Before implementation of a biometric security initiative, insureds should speak with legal counsel to ensure that the program is implemented in compliance with the relevant laws.
It is therefore likely that these two underwriting concerns will converge. If biometrics are the answer to underwriters’ need for more robust security defenses, insureds may also have to demonstrate such data is being used in a manner that is in compliant with legal privacy requirements.