Safeguarding digital identities

Sponsored by

Weathering the storm

The need to transform often accompanies any time of great change, but in the shadows of transformation comes growing identity risk

The business world is in the midst of a time of great disruption. With the majority of companies now working remotely, early tech adopters that embraced digital transformation as a vehicle for differentiating themselves are realising the exponential benefits and competitive advantage of having secure and efficient systems in place to support home workers. 

Meanwhile, organisations that previously resisted transformation, due to the costs, disruption or simply fear of change, are scrambling to authenticate multiple remote endpoints on the network, leaving them more exposed to identity risks.

From wax seals and stamps to biometrics and behavioural analysis, humans have always looked for ways to validate that people are who they claim to be and can be trusted. Identity management has migrated from the mainframe and is now deeply embedded into the handheld devices of consumers.

As demand has spiked for better remote access and also online shopping and streaming services, organisations are scrambling to accommodate

Identity and access management is an enabler of digital transformation as it forms the intrinsic connection between people, services and data. A workforce underpinned by technology can operate increasingly independent of location or time zone, making digital identity practices more important to business success than ever. This importance is further emphasised by the fact that many business models are underpinned by technology that allows customers to engage and interact with them online.

“They are vital for presenting a compelling first contact point to customers, protecting sensitive data, enabling secure transactions and transforming business processes,” says Adam McElroy, cyber risk director at Deloitte. 

“They allow new ways to engage with consumers via social media, improve collaboration within the business, and automate and simplify cybersecurity. Consumer-focussed organisations may also consider a ‘bring your own identity’ policy and a user managed access protocol as part of a resilient strategy.”

Yet as demand has spiked for better remote access and also online shopping and streaming services, organisations are scrambling to accommodate. The sudden shift to a large remote workforce has posed significant identity risks and challenges as companies seek to maintain security and ensure business continuity. 

Identity and access management is crucial to ensuring resilience during times of change. While the communications infrastructure is there to enable this unprecedented shift from office to remote work, for a lot of companies it is a big challenge to do this quickly while also maintaining productivity.

In the rush to enable remote working, it can be easy to overlook formal security training and guidelines. Such resilience policies should govern the management of remote access, the use of personal devices, password and authentication guidelines, and privileged access control. 

It is also good practice to establish IT support mechanisms for remote workers, such as a virtual helpdesk. IT teams require visibility across the remote workforce devices connecting to the corporate network, with a clear view over security and authentication.

Personal and company wellbeing

“Businesses holding off on adopting more secure and efficient authentication methods will have to update their practices eventually, in response to regulatory changes and consumer demand. As technologies evolve – from the internet of things to blockchain – trustworthy authentication will be the key to widespread adoption.”

Digital transformation changes how employees access data, and this can mean the user access and security controls that companies traditionally rely on are exposed to new vulnerabilities. For example, employees using their own devices while working at home could give hackers easier access to sensitive information. 

GDPR, the EU’s data regulation, expects companies to consider a data protection impact assessment before making changes that will affect the processing of personal information, and that includes remote working. A resilient agile working policy should also clearly define processes and responsibilities for identity-based access control, dual factor authentication and encrypted data transfers.

Organisations must consider the wider context of changing landscapes and user behaviours, and how they could lead to more identity risks when their employees are working from home. People will often use the same password for their personal logins and subscriptions as they do at work. Cybercriminals will frequently obtain users’ access details for one site and then test them on multiple other sites as well as corporate accounts, knowing there’s a strong chance that they will be able to gain unauthorised access.

“This issue can be addressed by continually reviewing password policies to ensure strong and unique passwords are used by employees,” says Daniel Milnes, a governance and information lawyer at Forbes Solicitors. “They should also make allowances for staff to inform them if their security has been compromised at home, so they can engage their data breach response process and mitigate the consequences of a breach on the organisation.”

Many companies were unprepared for how quickly and dramatically a pandemic would impact their business. They’ve learned the hard way the crucial importance of resilience, but there is no magic bullet and clearly organisations are still having to make risky decisions at a rapid pace. Where this is the case, they need to access their security systems as fast as possible and move to remediate any risks. Identity governance should be a core focus. In the longer term they can see this as a process that will enhance their resilience.

If there are any positives to draw from the turbulence businesses have been going through, it is likely to be the acceleration of digital transformation and the heightened focus on robust resilience strategies with agility at the heart, which for many organisations have been necessary to their survival. 

The broad realisation that a remote workforce can be just as productive as one based in a single office will reshape the business landscape, and identity and access management will be central to ensuring resilience in this new world.

Managing identity for a competitive edge

Identity management is an important pillar of security in the digital age, but the savviest businesses are realising it’s also an opportunity to strengthen their brand

Authentication has long been considered crucial for security and fraud prevention, and necessary to meeting compliance requirements. But as privacy and trust become vital to consumers' everyday dealings with organisations, identity management has become less of simply an IT or regulatory issue and more an opportunity to boost business. 

Two thirds of organisations have lost customers as a result of cyberattacks, according to Forbes, so strong security is clearly paramount. Equally, however, authentication is the main interaction with consumers for many brands and a poor experience here can also damage that relationship. Too often security adds friction to customer experience.

Many organisations are experimenting with and integrating a number of new technologies to improve their digital identity capabilities, while also providing a great user experience to increase their brand affinity. Moving beyond simple logins and passwords, they’re increasingly using advanced authentication methods, such as biometrics and behavioural monitoring, as standard practices in identity management.

“There can be no trade-off between security and convenience,” says Ajay Bhalla, president of cyber and intelligence at Mastercard. “One of the reasons trust has become so important is because we have huge amounts of data, unprecedented levels of connectivity and an internet that evolved to connect people, not secure them. We need to recognise security and wellbeing as core to successful product development. 

“We call it 'security by design'. Personal data sits with its rightful owner, the individual, and doesn’t involve amassing personal data in honeypots or any one location, vulnerable to attack. Aligning security with consumer experience is also crucial. At the heart of our security strategy is collaboration, sharing expertise, defining standards and specifications, and playing a leading role in securing the landscape. By protecting what connects us, we can create a stronger, more resilient world.”

It’s about ensuring any friction, for security or otherwise, is appropriate to the level of risk

Trust is the dynamic relationship enabler between a consumer and a brand, so jeopardising it is sure to impact both parties negatively. The extent of that damage is entirely dependent on how effectively an organisation responds to the breach and the pre-existing reputation it has with its stakeholders. The more trusted a company is, the more forgiving consumers will be. In a digital world, it’s even harder to build trust.

Co-ordinated approach

Considering how deeply enterprise and consumer identities are interlinked, companies should approach both in a similar and co-ordinated manner. A strong, holistic approach to digital identity management can help drive the business, make life easier for cybersecurity teams and ensure better experiences for customers and employees. 

For consumers, this means logging in just once to get quick access to what they need, when they need it. Being more connected than ever, they want a consistent experience across the multiple channels they engage with, be it call centres, chatbots or virtual assistants.

"We talk about ‘friction right’ in respect of consumer interaction; it’s about ensuring any friction, for security or otherwise, is appropriate to the level of risk,” says Josh Gunnell, head of fraud and ID pre-sales at TransUnion. “Consumers want to feel secure and reassured they’re being taken care of while also benefiting from a seamless user experience. “Transferring money online or successfully applying for credit would not feel natural or comfortable if these experiences came with the same level of authentication as cashing in your loyalty points at the local supermarket. 

“This approach is not only driven by regulation, such as the second European Union Payment Services Directive and strong customer authentication, but by consumer expectations of balancing that need for security while maintaining convenience. The two aren’t at odds, in fact they complement each other to drive an improved user experience and increased customer loyalty." 

With smart and innovative ways available to apply strong and secure authentication, while also delivering an excellent user experience, organisations have no excuse for sacrificing either in the digital world. The most successful companies will make use of an evermore connected world and the proliferation of digital data points to discreetly check the identity of their customers, authenticate them and smooth the way for a seamless experience, enhancing both resilience and their brand equity.

Commercial feature

Who owns security?

Security is not just the responsibility of the security team. Joan Pepin, chief security officer at Auth0, explains how different areas of an organisation should be playing their part

Unless a culture has been built to the contrary, the default attitude of employees in most companies is there's a department called security and anything related to security is that department's job. To make matters worse, it’s often accompanied by a perception that security impedes innovation and holds people back from doing their job. Hackers can easily take advantage of weaknesses that stem from these attitudes. Building an effective security culture requires specific efforts from numerous parts of the business.

Digital transformation

There are tremendous opportunities to improve enterprise security when moving from traditional deployments to more cloud-based deployments. The major cloud providers, including Amazon Web Services, Microsoft Azure and Google Cloud, make available some powerful and robust tools to secure any workloads moving to the cloud. It’s crucial the teams responsible for building digital transformation programmes think about security from the beginning, understanding where these tools fit into the design of new products and how they can leverage the full breadth of security automation made available by their respective cloud provider. Security can be drastically improved as part of digital transformation, but only if they take advantage of that opportunity.

Product development

It falls to the product development team to focus on securing the company’s products and customers. If this team doesn’t take the foundational steps to build security into software, it will be much harder, slower and more expensive to build in later. From the very beginning of writing a piece of software, they should work with security to understand the requirements and best practices. Even in the very first iterations, they must take into consideration the software's threat model and implement the controls necessary to mitigate those threats. This might feel slow at first, but it will produce much higher velocity in the long run because there will not be nearly as much rework and depth needed if the hooks are already built into the software’s foundation.

Security impedes innovation and holds people back from doing their job

DevOps

It goes without saying that all employees should be encouraged to keep the possibility of cybersecurity threats in mind constantly when going about their work, but this is particularly the case for those with sensitive and privileged access. It means DevOps teams must be extra aware of how they could be exposing their organisation to a potential breach of cybersecurity. It’s crucial DevOps professionals always ask themselves: could a security flaw or vulnerability be the root cause of any issue that presents itself? Misconfigurations or malfunctions will often occur down the road, for example when application developers have sacrificed security for the sake of speed.

Risk

Cybersecurity quickly becomes a business risk if it goes wrong, so it's crucial it is viewed as that from the start by both risk teams and board-level directors. While this attitude is being increasingly adopted, it has not yet fully matured. Many boards, who were not a couple of years or even a couple of quarters ago, are now talking about cybersecurity risk, but it's not yet a fluid conversation. This cuts both ways as boards may not yet be completely fluent in this area, asking the right questions and making the right assumptions, but security teams are also not necessarily accustomed to that kind of high-level visibility. Therefore, risk teams should work closely with security to help them communicate the core business risk posed by these threats in the most effective way.

IT

The IT department should work hand in hand with security to ensure the suite of products presented for use by employees is set up safely with secure defaults. Security professionals rely on their IT colleagues to help educate employees on the proper usage of workplace tools. IT teams also require the tools to assist in the remediation of any incidents, whether it’s an employee experiencing malware on their laptop or a breach of the corporate systems. They should support the security team in the event of an incident, as well as help lay down secure foundations in the way software is configured, how employees are trained to use it and the connectivity between different applications.

Security

While there are specific departmental contributions, a baseline behaviour is required among all employees if an effective security culture is to be achieved. To establish that baseline, it’s vital the security team can create a threat model of the entire organisation with a clear vision and plan to communicate to all stakeholders the threats they face and what controls are being put in place to mitigate them. The security team is the only part of the business who can see the whole picture, so to create a widespread security mindset they need to orchestrate a holistic strategy whereby every person is aware of the security and privacy implications involved in their activities. Only they can provide this guidance in a way that all functions and departments can consume and make use of.

The cost of credential stuffing

As organisations face attacks comprising user accounts with stolen credentials, with growing frequency and sophistication, why must businesses prioritise protecting against credential stuffing?

Credential stuffing is a threat across industries…

Worldwide share of credential stuffing login attempts

 …and attacks continue to proliferate

Email addresses and passwords are the most valuable for use in credential stuffing attacks

Percentage of data breaches that expose a particular data type

For organisations who do not protect against credential stuffing, the results can be costly

Connecting the dots

Customers want frictionless online journeys, but how can businesses balance the user experience with security needs?

In recent months, ecommerce and banking sites have been stress tested like never before. Millions of people have been searching for and purchasing items they may previously have bought on the high street or from rival firms. 

Meanwhile, banks have had to field an unprecedented number of inquiries about mortgage payment holidays, loans and overdrafts. So how can companies ensure they win and retain customers at this difficult time?

We would always advocate providing an experience with as little friction as possible

For starters they should offer a frictionless online journey. “In terms of friction, we would always advocate providing an experience with as little friction as possible,” says Hugh Fletcher, global head of consultancy and innovation at Wunderman Thompson Commerce. 

“This may sound obvious, but there has been talk in the marketing and customer experience community about deliberately creating moments of friction. However, we are yet to encounter a consumer who wants their experience to be more complicated.”

Friction-filled customer journeys are a major driver of lost customers. As Scott Turton, UK lead of digital customer experience at Capgemini, says: “We all expect instant fulfilment and many of us will abandon a journey when faced with a form that’s tough to fill, slow load times or a submit button that’s hard to find.”

Research by payments solutions provider Checkout.com shows more than a third (38 per cent) of shoppers aged between 16 to 29 blame the brand if their website has slow processing. Moreover, almost half those surveyed in that age group say they would not return to a brand if the payment process was too slow. 

“Ultimately, a poor user experience, or not being able to pay with your chosen method of payment, could result in customers dropping off right at the last step and no business wants that,” says Tracy Meng, Checkout.com’s vice president for commercial partnerships.

Online shopping journeys are getting shorter and shorter too. “Within just a few short clicks, a shopper can go from browsing images on Instagram, to viewing a targeted advert for a product and then purchasing that product,” says Donald Chesnut, chief experience officer at Mastercard. 

“Anything that interrupts these journeys, such as keying in card numbers, is increasingly not tolerated by shoppers. However, at the same time, it’s crucial security is built into the process and shoppers are crystal clear when they are about to make the payment so they can be confident they do want to make the purchase.”

Risk losing customers

Businesses that fail to implement robust security procedures are not only at risk of fraud, they’re also at risk of losing legitimate customers. Because of the way payment gateways operate, rules triggered by ecommerce platforms, for example transaction velocity, and imperfections in some retailers’ fraud reviews, 10 per cent or more of orders are declined in the authorisation and fraud-review stages, says Ed Whitehead, managing director, Europe, Middle East and Africa, at Signifyd. “Unfortunately, some of those orders were in fact placed by legitimate customers.”

Machine-learning can help address this issue by analysing millions of pieces of historical and real-time data in milliseconds. “By connecting data on customer behaviour, credit history and dozens of other factors, the organisation can gain a better understanding of the customer journey and proactively protect customers from fraudsters, while finding new ways to align services and products suitable for the customer based on their behaviours,” says Tiffany Carpenter, head of customer intelligence at SAS, UK and Ireland.

Many businesses aren't striking the balance between security and CX

Most important goals for retailers

EMV 3D-Secure (3DS), an authentication protocol governed by the card networks, is also coming to the forefront, says Daniel Cohen, head of anti-fraud products and strategy at RSA Security. “Merchants leveraging the 3DS ecosystem may pass hundreds of data elements to the issuer to assist in the authentication and authorisation of the transactions and in this way reduce friction levels significantly,” he explains. 

In addition, it’s important businesses bring customer-facing and IT people together to design customer journeys that are both frictionless and secure, regardless of what channel the customer happens to be using. 

“While people who work in customer-facing roles know exactly what it takes to make great user experience a reality, IT needs to be involved, to ensure any new solutions and processes meet compliance, security and quality standards,” says Richard Billington, chief technology officer at Netcall. 

“Through breaking down departmental silos, and empowering customer service, marketing and IT teams to work together, businesses can achieve the right balance of user experience and security.”