Authentication: Cybersecurity’s First Line of Defense

A network’s first line of cyber defense is not the firewall. It’s not data encryption. And, it’s certainly not an artificial intelligence (AI) program scanning the network for abnormalities. 

Cybersecurity’s first line of defense is user authentication.

• A step that 100% of all enterprise software, networks and computers require
• A step that 84% of employees and corporate networks do very poorly
• A step that 93% of hackers admit is a barrier to their attacks

Without securing authentication, you allow hackers to steal your intellectual property, steal your money and steal your customers’ personal information. The laws declare that you, the business owner, are liable for all data breaches. According to the latest Ponemon Institute and IBM Security “2019 Cost of Data Breaches Report,” the global average cost of a data breach is $3.92 million ($3,920,000) per incident. The United States is the highest of all countries at $8.19 million and healthcare at $6.45 million per incident.

I’m emphasizing per incident because, according to the CyberEdge Group’s “2020 Cyberthreat Defense Report,” 45.5% of the people they survey believe they will be compromised one to five times per year. That could result in a company’s total cost of $19.6 million or bankruptcy.

So, here are three questions you need to ask yourself:

1. Even if these costs are off by as much as 50%, can I still afford a data breach?
2. If the first line of defense and the most significant barrier to hackers is authentication, why is authentication the most ignored defense?
3. Why does the media attack passwords instead of exposing cybersecurity’s real weakness?

Before I can start to address these issues (and more), I need to take a step back to explain how we got here in the first place. It’s not the computer. It’s the internet.

The internet is not secure

The original internet designers never imagined commerce, SaaS, or “working from home” remote transactions over their invention. In 1969, the first closed node-to-node computer connection was made for government scientists and researchers to share information. Since then, internet interconnections have created new opportunities and security worries for companies, agencies, IT and customers. In January 2019, the estimated number of active internet users reached 4.4 billion (that’s 57% of the world’s population).

Network security does not stay viable for many years. Over time new hardware and software components are added. Older components get patches. And, a single change made to one part might not be backward compatible with another part. All these patches and updates create even bigger problems. A disjointed company computer network will quickly inundate even the best IT administrator. When IT is no longer in control of your system, it’s no longer a question of if your network gets hacked, but rather when and how long it will take before discovery. It’s this complexity that makes both IT and executives think moving to the cloud will solve all their problems.

IT administrators are placing their security hopes on technology. While technology plays an important role, this philosophy ignores cybersecurity’s real threats and risks. For example, moving your data to the cloud isn’t always the right answer. And, in some cases, it’s a dangerous one. Did you know that some of the biggest cloud service providers claim that once you upload or input your data into their servers, they now own your data? The typical user agreement, which we all accept without thoroughly reading, states that you acknowledge and give the provider permission to index all your data, analyze trends, sell their analysis to whoever they want, and profit from your information. I only mention this because hackers can also use the same hooks to access and analyze your data.

An overly high number of IT security administrators believe that AI and machine learning will improve security. That’s a bad play if they don’t have full control over what the AI programs are doing with your company’s data. Administrators must also trust that the AI programs are bug-free and that no nefarious foreign programmers inserted any backdoors. Given the history of software, internet, and cloud providers, I wouldn’t put a lot of trust in how they will use their AI programs to disseminate and sell more of your data.

Finally, the drive to kill passwords and adopt biometric authentication ignores password strengths while dismissing biometrics weaknesses. For instance, passwords can change as frequently as desired. Can’t do that with biometrics. Ever try to replace your eye? There are also far more unique passwords than there are private keys. These and other topics will be addressed in far more detail throughout this series of articles.

Cybersecurity isn’t simple

Cybersecurity is a very complex topic. So much so that general IT managers may lack the many skillsets and tools to offer enough protection. Today, a good network security audit requires highly-trained specialists. And, even then, they might not correctly evaluate all possible vulnerabilities.

In this series of articles, I’m going to focus on two essential cybersecurity aspects:

1. Help business and agency executives make informed decisions about where to make security investments.
2. Highlight the most ignored aspect of cybersecurity: employee-managed authentication.

Over the next 12 weeks, I invite you to join me as I do a virtual autopsy on authentication, passwords, encryptions, multi-factor authentication, digital certificates, biometrics and the ROI of cybersecurity, without all the techno-geek speak. Well, there might be a little. After you have finished this series, you will understand why it’s crucial to lock the virtual front door.

Dovell Bonnett has been creating computer security solutions for over 25 years. He passionately believes that technology should work for humans, and not the other way around. This passion lead him to create innovative solutions that protect businesses from cyber-attacks, free individual computer users from cumbersome security policies, and put IT administrators back in control of their networks. He solves business security needs by incorporating multiple applications onto single credentials for contact or contactless smartcards. In 2005, he founded Access Smart LLC to provide logical access control solutions. His premiere product, Power LogOn, combines Multi-Factor Authentication and Enterprise Password Management on a government-issued ID badge (CAC, PIV, PIV-I, CIV, etc.).