Michael J. Del Giudice
Principal, Consulting, Crowe LLP
In recent years the understanding of what the most critical criteria of what makes a password most secure has transitioned from complexity of the password to the length of the password, or pass phrases. However, weak passwords continue to be a target of attackers and common vulnerability in attacks...
Read more
Optional eyebrow
Viewpoints from Crowe
Optional eyebrow
Viewpoints from Crowe
In recent years the understanding of what the most critical criteria of what makes a password most
secure has transitioned from complexity of the password to the length of the password, or pass phrases. However, weak passwords continue to be a target of attackers and common vulnerability in attacks.
The criticality of password security, specifically the use of multi-factor authentication (MFA), has become more of a focus as organizations have supported a more robust remote working capability during the pandemic. Additionally, insurance companies have started demanding organizations have MFA as a requirement of cybersecurity coverage. Most organizations focus on MFA though smartphone notifications or one-time passcodes (OTP).
Adoption of security controls is always more successful when the impact on users is minimized. Lower-friction authe ntication solutions help achieve this goal of increasing security without increasing complexity. Innovations in authentication security will continue to push the boundaries of secure authentication, further reducing friction without sacrificing security.
In addition, these innovations will help with the success of zero-trust infrastructures. Organizations leveraging behavioral biometrics report fewer breaches. Leveraging frictionless solutions will help seamlessly authenticate a user when accessing organizational resources, establishing trust at the time resources are being requested.
The frequency and impact of data security incidents will continue to grow until organizations adopt more advanced security controls. Innovation within authentication solutions will be imperative to support future security programs that are resilient in the face of ever-evolving threats.
Technology innovation is a “silent killer” for information security. Quantum computing presents one of the most daunting threats as the race for more processing power can quickly render today’s best practices obsolete. While the urgency for addressing risks to perishable data or data that will change frequently, such as passwords, may not be as significant, data that does not have a shelf life presents imminent risk. For example, personal information such as social security numbers or healthcare information does not change over time, meaning data secured with today’s acceptable encryption standards could be exposed as technology capabilities improve. Attackers are aware of this, creating a threat called store-now, decrypt later (SNDL), where attackers harvest encrypted data with the intention of holding it until technology allows them to decrypt the data. The only way to protect against these future threats is to begin considering advanced encryption and security controls now. The National Institute of Standards and Technology (NIST) has recognized the threat and recently drafted the Post-Quantum Cryptographic Standardization, including new encryption standards. While the standards are being finalized, organizations should start evaluating the risk, considering their data and how long it will hold value. Data that will be relevant for any length of time, such as personally identifiable information, trade secrets, or intellectual property, should be secured using standards that are designed to protect against the threat Quantum computing presents. The only way to protect against tomorrow’s information security threats is to implement stronger encryption controls today.
National Head of Private Clients, Crowe UK
Michael J. Del Giudice