Watch any sci-fi program and you’ll see people routinely enter spaceships, high-security zones and cyber infrastructures with the blink of a retina or the press of a palm. Are we moving toward a time in which passwords have expired once and for all and biometrics rule?
Not so fast, says Mike Benz, Vice President of Information Technology at Kraus-Anderson.
“If you told an auditor that we were doing away with passwords, they’d say we’re headed for trouble,” says Benz. Instead, “most companies have already augmented passwords with an additional layer of verification.”
Benz was one of five top Minnesota IT leaders who took the stage for the Predictions Panel during the Secure CISO seminar March 8, 2018 at the Radisson Blu Hotel in Minneapolis, forecasting advances in cloud, mobile, applications, and cyber security.
The by-invitation only Secure CISO conference included over 150 of Minnesota’s brightest cyber security minds, including Chief Information Security Officers from giants Mayo Clinic, Ameriprise and UnitedHealth Group; all collaborating the mitigate the existential threats to information technology. Benz fills us in on some of the thinking behind his forecast.
Q: What was your prediction for the panel?
MIKE BENZ: My prediction to the group was that passwords will soon become obsolete as the primary way of validating our identity. In the very near future, all personal and business application passwords will be augmented with some second factor of authentication, to prove that the person signing on is really who they claim they are.
Q: What kind of second factor authentication do you foresee?
MIKE BENZ: The additional technology will be a biometric such as the pace of your keystrokes, voiceprint, retinal scan, or fingerprint; or it could be tied to a changing login code on your iPhone, an ID badge or another accessory.
Q: Why is this additional layer of security necessary?
MIKE BENZ: Human nature. Passwords are very easily shared, either accidentally or intentionally, and people still don’t realize the risk exposure. Many employees willingly share their passwords with others, write them on a piece of paper beside their computer, or stick them to the bottom of their keyboard. You can buy password “vaults” that are no more than a paper address book. Many people use the same password for business and personal accounts, resulting in one key that unlocks dozens of doors. This laxity exposes companies and individuals, to all manner of risk, from unauthorized access to emails, bank accounts, and competitive pricing secrets; to identity theft. Most people don’t like the inconvenience of passwords, but don’t stop to consider the enormous inconvenience of having their bank accounts wiped out, their identity stolen, or their company bankrupted due to a major cyber breach.
Q: Are there any drawbacks to multi-factor authentication?
MIKE BENZ: The trick is to balance security with convenience. The most convenient approach is to allow everyone full access to all information, without any gatekeepers or filters; and the most secure setup is to block everyone from accessing anything. However, the most practical solution is a low-friction hybrid; for example a new protocol that may take 10 seconds more to log in, but will reduce the risk of impersonation from 1-in-100 to 1-in 10,000. Nothing is absolutely bullet proof, but it is our responsibility to reduce that risk to an acceptable level.
Q: What industries are leading the charge in moving beyond simple passwords to multi-factor authentication? Who are the holdouts and why?
MIKE BENZ: Most banks, hospitals, and retailers have added a second factor of authentication long ago, because it was mandated by security compliance standards such as GLBA, HIPAA, or PCI. Conversely, the industries that have been slower to adopt are those that aren’t bound by compliance mandates.
Q: Where does Construction fall in that spectrum?
MIKE BENZ: Many construction companies are privately held and are not typically governed by compliance mandates. They have been slower to adopt increased security measures. I often hear that we don’t have information that would make us a target for thieves. Although, we’ve all heard of ransomware, where thieves lockup your systems until you pay a hefty ransom. What would happen if our computers were locked up for a week or if everything were erased? I contend that we’re not so much in the construction business, as we are in the communication, information, and risk management business. We coordinate all the subcontractors who build the buildings, the architects, and the owners. And if we lose our ability to communicate, what value do we offer to our marketplace? If we can’t effectively coordinate the concrete sub with the excavator, perhaps someone else will.
Q: What was closing your message to individuals and organizations at the Secure CISO event?
MIKE BENZ: Passwords were adequate when computers were housed onsite and didn’t connect to anyone outside the building. Now, every company, computer, and mobile device is networked to the rest of the world. Passwords give us a false sense of security. If we value our identity and our ability to communicate, every person and organization needs to adopt more effective authentication strategies.