The data breach epidemic isn’t slowing down. And, despite this kind of threat being present for decades, many organizations still don’t have a great handle on how to prevent it, even though authentication methods, including the use of passwords, are one of the root causes of breaches.
In fact, the Verizon 2022 Data Breach Investigations Report found that 82 percent of breaches could be traced back to the human element of cybersecurity – chief among these are stolen credentials and phishing attacks. So, if the problem is threat actors gaining unauthorized access to data, why are organizations not using stronger authentication approaches to prevent cybercrimes? In my mind, there are three main reasons why organizations have been slow to adopt new authentication methods – along with solutions to these challenges:
1: Executives are resistant to change
This is an overarching theme when adding new technology is brought up. Sometimes it’s hard for executives at organizations to change how things have always been done, which prevents them from acting before a breach occurs. Many organizations have also adopted the mindset that “if it’s worked for this long, don’t fix what’s not broken.”
To overcome this challenge, the answer is — don’t change, at least foundationally. Many large organizations currently have at least three identity and access management (IAM) systems in place, and hundreds of applications. Adding yet another layer to their technology stack for managing authentication only increases perceived complexity for security teams. In fact, a recent survey found that 70 percent of IT professionals are overwhelmed by the complexity of their authentication systems — so it’s understandable that they would be hesitant to add another system.
Instead of ripping and replacing these existing IAM systems, which are delivering value in many ways beyond the scope of authentication, organizations can supplement them with a toolset that enhances their built-in capabilities — many of which often have critical flaws like not providing phishing resistance. Certificate-based authentication (CBA) is an example of technology that can fortify existing investments and deliver advanced authentication — which can not only enhance authentication within one system but can also span multiple IAM systems to help organizations take a more-holistic, systematic approach to authentication.
2: Organizational efficiency will be adversely impacted
There is often a tendency to over-index on a solution to a problem, particularly when the stakes are high. In the realm of cybersecurity, that can manifest in the form of a set of processes that are not altogether friendly to the workforce. Put in too many complex steps to access what a user needs, and productivity can diminish. Moreover, studies have shown that employees will find “workarounds” if enterprise security is too complex, which leaves organizations extra vulnerable.
While it’s true that security is complex, it doesn’t have to be a roadblock. New, modern methods, such as passwordless authentication, are meant to make it easier for users (and IT teams) to do their jobs. Not only does a passwordless solution eliminate the reliance on passwords, which are easy to compromise, but it also pragmatically eliminates user friction — a win-win for all. This should be a type of change executives can get behind — security solutions that not only better protect organizations, but also ease the burden of IT teams and employees alike. That’s why two-thirds of organizations plan to implement a passwordless solution in the next 24 months, according to a recent study from IDG.
3: Upgrading is too costly
The perceived price tag of a stronger authentication method might make executives balk, but recent advances have added more options without hardware cost. For example, there are now enhanced security modules built without charge into Windows 11 — a Trusted Platform Module (TPM) — and into iPhone, iPad and Mac — the Secure Enclave. These additional options maximize the security team’s ability to increase authentication security across the board while reserving strong hardware-based authenticators such as PIV cards and USB Keys (such as YubiKey) for key executives and departments that need the top level of security.
Further, upgrade costs, if any, should be balanced with the downside costs of a breach or an operational disruption. IBM Security reports that the average cost of a data breach in the U.S. is nearly $10 million — the highest in the world. Additionally, that same report states that 83 percent of companies surveyed had experienced a breach more than once. It makes upgrading authentication methods seem much less expensive when viewed through this lens.
Technology purchase decisions are more often evaluated within a narrower field of focus, however. A purchase must stand on its own and deliver a return on investment that is clear and quantifiable. Advanced forms of authentication, particularly cloud-based platforms that integrate authentication approaches into a single, integrated solution, check these boxes. With a single pane of glass across all authentication practices and credentials, for instance, organizations can lower overall costs versus a siloed approach that requires unique processes and oversight. They also can drive savings with improved rollout and usage tracking of phishing-resistant credentials, and the burden on the help desk can also be lowered for common requirements like password resets when you’re doing so in a unified fashion. The result is not only a smaller window of risk exposure, but also material savings that offset — often within a few months — the initial cost of the investment plus better user acceptance.
Moving to stronger authentication methods does not have to happen completely overnight. To get started, organizations should look to implement authentication technology solutions on the market that address these three barriers to upgrading authentication — and can be done relatively quickly to avoid a data breach, such as modern passwordless authentication. Also, with the right authentication technology solution each end user group can be matched to the right authentication level (from built-in to the hardware to external authenticators) and rolled out in sequence. This enables the security team to perform the upgrade in manageable phases.
Security leaders can never be too careful when it comes to protecting sensitive data — so addressing one of the main root causes of the data breach problem — authentication — will significantly increase an organization’s cybersecurity posture now and in the long run while simultaneously lowering costs.