Beyond the government cybersecurity executive order, every commercial enterprise needs to take action for a secure, productive future.
President Biden’s cybersecurity executive order was announced in mid-May, 2021, with the goal of fortifying the nation’s digital infrastructure in the wake of countless hacks and ransom threats. Similar regulations are being imposed in countries around the world.
We discussed the implications for government agencies and contractors shortly after the cybersecurity executive order was announced.
But here’s what needs to be said now.
Even businesses not directly affected by government-imposed cybersecurity orders are still at risk of cyberattacks. In fact, the danger is considerably higher today than it was just a year ago. As more government-related enterprises reinforce the systems that protect access to their digital infrastructure and data, hackers are turning their attention to commercial enterprises that have failed to recognize and repair the chinks in their armor.
Recall for example how a single stolen password, leaked on the dark web, led to a shutdown of the Colonial Pipeline in May, 2021. Colonial was unable to bill its customers, while fuel supplies of roughly 2.5 million barrels per day were cut off across the East Coast—causing havoc at gas stations and even airports. The attackers also threatened to release 100 gigabytes of stolen proprietary data, forcing Colonial to pay an untraceable cryptocurrency ransom worth $4.4 million.
Or recall how a ransomware attack hit the San Francisco 49ers football team in February, 2022. It was the second attack the team has suffered since 2020, when its social media accounts were hijacked. In the most recent attack, private financial data was stolen from the $4.175 billion team, and critical information systems may have been encrypted.
These are just two among the many commercial enterprises that have been successfully targeted recently, causing total losses of $6 trillion per year and rising.
The good news is that the executive order—and the security industry’s response to it—provides excellent guidance for commercial enterprises that appreciate the risks and wish to act quickly to protect their profitability and peace of mind.
What can enterprises learn from the Biden cybersecurity executive order?
The first lesson is that you may be covered by the executive order, even if unwittingly. Section 3 requires adoption of a “Zero Trust Architecture … where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources.” And most importantly, this architecture relies on “multi-factor authentication and encryption of data at rest and in transit.”
Biden’s cybersecurity executive order applies not only to government agencies, but also to any third-party contractor or vendor operating on behalf of a government agency. Think about that. Especially for large, national enterprises, it would be unusual for one or more divisions not to be serving the federal government in some capacity. And if you’re investing in a Zero Trust Architecture for one division, why not take the opportunity to secure your whole business?
But let’s assume that you’re not covered by the mandate in any way. Why not continue doing what you’ve always done?
Passwords alone are shockingly insecure.
If you’re like most companies, what you’ve always done is single-factor authentication based on user entry of a password or PIN. Even 20 years ago, that method was barely adequate due to the ease with which passwords can be lost, shared, stolen, phished, or even simply guessed.
But today, even seemingly unguessable and vigilantly protected passwords can often be cracked with brute-force attacks applied through massive computing power. Ninety percent of passwords are now considered hackable.1
Passwords are unusable and unmanageable.
It’s not unusual for people to have upwards of 100 passwords to keep track of. On average, employees spend more than 12 minutes every week entering and resetting passwords, for a total loss of 11 hours per year.2 Up to 50% of service desk issues involve password resets, costing $70 each on average.3 The average estimated cost in lost productivity to a typical organization is $5.2 million annually.2
These average numbers are already astounding, but in industries that are particularly security-sensitive they run much higher. For example, healthcare workers log in to workstations and multiple applications an average of 70 times each day.4 These inconveniences and expenses could be worth it if passwords were truly secure, but in a single-factor authentication system they simply are not, and that’s unacceptable. It’s no wonder that 86% of security leaders say they would do away with passwords if they could.5
Multi-factor authentication methods are much better
Knowledge factors are often described as “something you know,” such as a password or PIN. The problem with this category is that a determined hacker—or even a casual acquaintance—may be able to learn your password and use it from any location in the world. And that would be something you don’t know, until it’s too late. Fortunately, there are two other authentication factor categories that require physical presence to uniquely identify the user.
Possession factors include “something you have,” such as a proximity or smart card-based employee credential. Authentication factors in your physical possession are far more secure than a password or PIN. Even if someone were to physically steal your credential, the permissions associated with it can be immediately revoked, whereas stolen or shared passwords can go undetected indefinitely.
Biometric factors are defined by “something you are.” Your fingerprint, for example, uniquely identifies you, is impossible to steal or misplace, and is difficult-to-impossible for an attacker to successfully spoof.
Fortunately, possession and biometric factors are becoming much easier and more affordable to implement. There are even mobile credentials that can be instantly provisioned to employee smart phones, wherever they may be. And biometric fingerprint and/or face recognition on newer mobile phones is now the rule rather than the exception—although these consumer-grade solutions emphasize convenience and can’t match the security offered by a truly enterprise-grade biometric solution.
Multi-factor authentication is ideal for security and convenience.
Multi-factor authentication methods require users to present at least two of the three authentication factor types. Undoubtedly, you’re already familiar with multi-factor authentication, as it’s becoming very common for web-based bankers, retailers and others to send a one-time PIN (knowledge factor) to your phone (possession factor) in order to complete a password-based login (another knowledge factor).
Often, the term two-factor authentication, or 2FA, is used to emphasize the need for at least two distinctly different factor types, not just two different passwords/PINs. Consumer-oriented 2FA methods are far more secure than entering a username/password alone, although they are not always foolproof and they can be somewhat inconvenient for the casual user.
However, for authenticating employees to business devices, applications and data, an enterprise-grade multi-factor authentication solution can be virtually attack-proof, and—bonus—it can be far more convenient even than entering a single-factor password.
For example, the WAVE® ID Bio reader from rf IDEAS incorporates a proximity and contactless smart card reader, BLE authentication, and a TouchChip® TCE fingerprint sensor within a single device. So users can simply wave their card or mobile credential-enabled phone, then touch the sensor to authenticate instantly using two-factor authentication: a knowledge factor and a biometric authentication factor.
WAVE® ID Mobile Readers work with industry-leading mobile credentials from HID, Orange Business Services and Safetrust, so that employee smartphones (possession factor), unlocked through facial recognition or a fingerprint (biometric factor) or even an old-fashioned PIN (knowledge factor) could potentially serve as an all-in one multi-factor authentication device that’s always at hand.
WAVE ID® Plus, WAVE ID® Nano and WAVE ID® Embedded OEM readers all support the FIDO2 passwordless authentication standard that works seamlessly across various credential types, devices, operating systems and browsers. We can show you how to make FIDO2 part of a multi-factor authentication solution that makes the bother of password entry and management forever a thing of the past.
Now is the time. rf IDEAS is the partner.
The most vulnerable enterprises are those that are left behind, exposed to attackers who know better than to waste their time trying to crack multi-factor authentication implementations. We have the readers, solution partner ecosystem and expertise to put you on the fast track to multi-factor authentication security. And with rf IDEAS, your multi-factor authentication solution can be far simpler and more affordable than you might imagine.
So let’s have a conversation and see what multifactor authentication methods will work best for your enterprise. You have nothing to lose but the headaches of password management and the worries that you could be too late.
1. www.businessinsider.com/90-percent-of-passwords-vulnerable-to-hacking-2013-1
2. www.thenationalnews.com/business/up-to-11-hours-spent-every-year-resetting-passwords-1.819620
3. www.infosecurity-magazine.com/webinars/password-management-getting
4. www.rfideas.com/sites/default/files/2020-02/rf_IDEAS_Imprivata_Case_Study_CS-505.pdf