12/16/2014 / 0 Comments
In evaluating current levels of company security and mitigating the potential risks of a data security breach, there are important questions that IT professionals must consider.
1. Do your employees access corporate resources with a password authentication method?
If you answered “yes” to this question, then you are using password authentication methods, and, consequently, your company and your user credentials are a prime target for attackers. Forward-thinking organizations that are keen to protect business data, their reputations and avoid disastrous security breaches must rethink traditional authentication, and they must deploy better approaches.
Continuing to use passwords and other sensitive credentials for authentication invites a number of potentially dangerous security risks, and cybercriminals have already deployed a wide variety of attack methods that can exploit this weakness. You need to explore alternatives to traditional, single-factor authentication that require two-factor authentication and replace passwords with advanced cryptography that is built for the future of data security.
2. Is your admin access to your server protected by a password authentication method?
If you answered, “yes” to this question, see our advice in #1 above.
3. Are your authentication methods compliant with regulatory or industry requirements for data security, such as PCI, HIPAA, or FIDO?
If you are not using two-factor authentication to protect business data, as an added protection for account logins, then you are not offering an appropriate level of security to protect your user accounts, customer data, and confidential business information. And, if your company routinely handles customer payment data or is involved in sectors like healthcare and banking or finance, then you could face fines, penalties, or other damages for failure to comply with legal requirements and industry regulations.
Also, your company may have already implemented two-factor authentication and may be actively using it, but if you are only using it to protect particular resources or systems, or only for administrative access or for certain users, then you may still be non-compliant and are still highly vulnerable to potential cyber-attacks and security breaches.
In the infamous case of Target Corporation, when the company was attacked by cybercriminals, two-factor authentication was implemented only for employees with direct access to confidential information. It had not been extended to protect vendor access to the company’s network, even though the newly issued Payment Card Industry (PCI) data security standard required this for all remote access originating from outside the company network. This created a vulnerability that attackers were able to exploit, and it offered a tough lesson on the need for comprehensive implementation of two-factor authentication.
4. Are you using two-factor authentication as an added layer of security?
As we have already explored, two-factor authentication is not only a fundamental step that is required to address password vulnerabilities and prevent cyberattacks, but it is fast becoming a data security requirement for companies that handle payment data, health information, or otherwise have a vital interest to protect business data and customer data.
Even if your company does not face any specific compliance or regulatory requirements for two-factor authentication, protect business data and your brand is simply good business. With an overwhelming number of cybersecurity threats facing businesses and customers, relying solely on traditional ID and password combinations for login security is an obsolete and extremely dangerous strategy.
To avoid becoming the next headline news about a data security breach, companies must innovate and step into the future with their user authentication. Adding two-factor authentication to enhance or replace your existing login and authentication process is critical to adapting and surviving in a marketplace where businesses must rely increasingly on the cloud and on the sharing of data and information through the Internet and through web and mobile technologies.
5. What type of two-factor authentication method are you using, and is it truly safe?
Even if you are already using two-factor authentication to protect business data and your user logins, you may be using a solution and technology that is outdated and is vulnerable to cyberattacks. Man-in-the-middle attacks and SIM card cloning have already been used to bypass two-factor authentication security in high profile data breaches, including one case involving online banking services provided by Swiss banks and other financial institutions in Europe.
These attacks capitalize on the use of outdated methods and infrastructure, such as the continued use of passwords as the first authentication factor, and the requirement that users must receive one-time codes (OTCs) or one-time passwords (OTPs) on their mobile device and then enter them through the same login interface as the ID and password.
This means that passwords are still used and can be stolen in transit or by hacking the authentication server, which makes the server an obvious target for attacks, and it provides an opportunity for attackers to intercept or redirect OTCs or OTPs when they are entered through the login.
The only way to eliminate the incentive and the means for attackers to target your company through compromising your user logins is to choose a two-factor authentication solution that removes passwords from the login process and does not require the transmission of credentials during the login process or the storage of credentials on a server in order to verify identity and authenticate.
With next-generation cryptography, such as public key cryptography, your company can protect business data and provide a simple login that only requires the entry of a non-confidential user ID, and you can provide quick and completely secure two-factor authentication using encrypted software key pairs and a simple mobile app. This ensures that no passwords are used and that no credentials are ever entered through the login process, none are transmitted between devices or servers, and none are stored on the authentication server.
With no credentials to steal, there is no physical means for attackers to target or compromise your login and authentication security.
6. Have you integrated two-factor authentication for all of your company user accounts, websites, networks, servers, and systems?
With new two-factor authentication technologies, usability and convenience are no longer an obstacle to user adoption and compliance to protect business data. Solutions like software push authentication, using public key cryptography and mobile apps, enable fast and easy logins with next-generation security and powerful protection for your user accounts business data. Users can log into secured services and authenticate in a few seconds, meaning that you can extend the highest levels of security beyond the administrative level and to all users who access your company data.
Moreover, with the simplicity and security of mobile authentication and advanced cryptography, two-factor authentication can be integrated with all of your company users accounts, websites, networks, servers, and systems.
With simple plugins from an expert vendor, you can deploy two-factor authentication using public key infrastructure (PKI) in the cloud, or you install this same technology on your own servers and your own authentication service behind your firewall and with on-site administration and reporting capabilities. Whether you prefer a cloud deployment or an on-premise solution, you can bring the strongest possible login security for your company and enable it to protect all of your users and protect business data and IT assets.
To find out more about public key cryptography and how this next-generation technology can protect your company, contact SecSign Technologies to request a free consultation.
Want to learn more about SecSign’s innovative and highly secure
solutions for protecting your user accounts and sensitive data?
Use our contact form to submit your information, and a SecSign sales representative will contact you within one business day.
If you need assistance with an existing SecSign account or product
installation, please see the FAQs for more information on the most common questions. You don’t find the solution to your problem? Don’t hesitate to contact the
Product Support
I am Interested in