Security has been and always will be important to humans. At the deepest level, all humans have an innate desire for security and protection and this desire now extends to our digital footprint. According to the Dell Technologies Workplace Security Report, the no. 1 global barrier to digital transformation is data privacy and security concerns.
The first pin and lock security system originated in ancient Mesopotamia thousands of years ago. Ever since then, it’s been a race and continuous evolution for locks to stay one step ahead of the criminals trying to open them. For example, in the 1850’s Alfred C. Hobbs used lock-picking tools to become the greatest security threat in all of England by picking “the detector,” a lock that was supposed to be “unpickable” and was honored as lock of choice for all of England’s prisons and post offices. After determined diligence, he succeeded, further proving that there isn’t a safe or a vault made that a determined criminal can’t open, given enough time and the proper tools.
With security today, protection extends beyond physical treasures to those in the digital world – data. As the most valuable resource in the world, data’s value is now greater than that of gold and oil. Like the criminals of the past, cybercriminals today are ready to crack the “lock” and gain access to your data. The key to making your data security nearly impenetrable requires two things: strong encryption (the vault) and a cryptographically secure key.
Over the last decade, the largest evolution in the “key” is the movement away from passwords alone. Weak and reused passwords are the least secure “keys.” In fact, a recent report from Dell Technologies found that despite the understanding from employees that passwords protect their business’ data, 62 percent of employees of all ages consider passwords to be an annoyance of the workplace. For that reason, security minded users and IT practitioners now leverage other methods including multifactor authentication and password managers. Password managers create strong, complex and unique passwords for each login a user requires and stores those strong passwords in a secure repository. No more writing that password down on a sticky note!
Ease-of-use advancements have made authentication factors like security tokens more pervasive, and recent improvements in cost and complexity have given many biometrics a new life. Fingerprint and facial recognition are two great examples. Reduced cost and a desire for greater security have driven a high level of device adoption and ease of use has driven user acceptance. Some security experts, including myself, were wary of the efficacy rate for many biometric factors, but advancements in sensor technology and the application of machine learning and artificial intelligence have strengthened the authentication algorithms. Personal electronics have become an integral part of our lives, and placing a fingerprint on the back of my phone and embracing facial recognition has completely changed my experience for the better. For me, going back to passwords alone would be like re-entering the dark ages.
An evolution also occurred around digital certificates or digital keys, which can be used to secure communication, verify identity and validate the source of authorized software. Digital certificates have been around for decades, however, deploying, provisioning and securing them have made use difficult and adoption challenging. Thankfully, modern key management systems and device provisioning tools have made digital keys more accessible, easier and more secure to deploy, and easier to embrace. In the years ahead, we will see digital certificate management tools evolve to include transfer of ownership and support for visibility into chain of ownership and access.
Having a strong “key” is important, but we cannot forget that how you protect that key is just as important. In the physical world, we hide our keys in fake rocks or car wheel wells to provide ease of access while obfuscating the storage location. But in the digital world, we hide the keys in hardware, inaccessible to operating system (OS)-level software. Having hardware-level security combined with a strong access control system is essential to keep digital secrets secure. Endpoint security technology that roots its security below the OS helps ensure “keys” stay secure from cybercriminals.
Another concept to keep in mind while protecting your “key” is lock and verify. It’s great to lock up your house, but did you check if the door was truly locked before you walked away? What if there was a way to verify the door remained locked while you were gone…cool, right? We often employ the security principle of protect, detect and respond. In our house analogy, protecting is locking the house, detecting is verifying that the door is still locked, and responding is locking the door if you detect it did not lock as intended before you left. In the digital world, protecting with strong algorithms, detecting if there is any malicious activity or corruption and responding through remediation and forensics provide the cornerstones to a robust security solution.
As you can see, the lock and key concept from history still applies today, but in order to stay one step ahead, you must be doing more to protect your data. Strong encryption and key management are essential elements to robust data security, but as an industry, we have moved away from a data encryption-only mindset. To adequately protect data, users must start with a secure, solid foundation in the form of a secure platform. Layered on the secure platform are additional measures to ensure a secure environment, such as encrypted communication, measured and attested code, and robust access control systems. Lastly, user education and advanced threat protection play an essential role to address the human factor.
We are playing a game of cat and mouse with cybercriminals and although we have yet to create the “unpickable” lock, physically or digitally, there are ways that organizations can stay ahead of attackers.
- Practice good password hygiene. Never use the same password twice and leverage a password manager. An easy way to keep your password secure is to re-issue a new password on a regular basis. If you update your password on a regular basis, it will likely be less damaging if it is lost or stolen, because by the time a criminal is likely to use it, the lock already changed.
- Use multifactor authentication and digital certificates. Augment your user authentication system to embrace biometrics and secure tokens. Protect your data using secure certificates and access verification.
- Educate your workforce. The weakest link in a company’s cybersecurity armor often isn’t their hardware or software, but instead their own employees. Cybercriminals will send employees socially engineered phishing emails, for example, to steal credentials, compromise information and gain access to the company at large. If employees are uneducated on how to identify these threats, they are leaving the door unlocked or worse, opening it themselves. Deploying regular cybersecurity trainings for employees will help them more confidently navigate threats and keep company data secure.
- Never settle. Organizations should constantly reevaluate their security strategy to ensure it is up to date with the current cybersecurity landscape. They should also deploy an end-to-end security solution that protects devices both above and below the OS and communicates with other parts of the system to ensure all data is locked away. Make sure these tools are user-friendly and do not hinder a user’s productivity.
Looking forward, I have no doubt we will see the digital “lock and key” continue to evolve but so will the tactics of the cybercriminals. No matter the evolution, security must be extremely easy to use and dare I say, fun, in order to make an impact. Things will be different in the future, but by applying existing security principles and lessons from history in a much more thoughtful way, we can stay one step ahead.