Identity Pearl Harbor
Numbers from the last 12-months are staggering. The Anthem Health Insurance data breach has impacted 80 million customers, and reports have it linked to corrupt credentials of privileged IT users. But that’s a drop in the bucket compared to the Russian hackers’ theft of 1.2 billion usernames and passwords across 420,000 sites.
These are just two of the more high-profile breaches. Some would think that they would be enough to push organizations to start doing more with identity. The thought has been that a single event might finally push the collective “us” over the edge and into battle – a metaphoric identity Pearl Harbor.
Sergio Galindo, general manager at network security developer GFI Software, wishes that were the case. His family’s data – including that of his children – was stolen in the Anthem breach.
Anthem has offered a year of identity theft protection, but he wants it for the rest of his children’s lives. “Their digital life is at risk forever,” he says.
Since the breach involved Social Security numbers, he fears his children will be battling fraudsters forever. “The Social Security number lasts forever and that’s how people will be impacted,” he explains.
Others aren’t as sure there will be one event that is the impetus for change. “Will it be death by 1,000 cuts?” asks Nigriny. “Or will it be some financial institution that loses a tremendous amount of money that makes everyone finally feel vulnerable?”
Consumers are already paying for these breaches, they just don’t know it yet, says Daniel Turissini, CTO at SolPass. In medical fraud alone hundreds of billions of dollars are wasted. “It’s a ridiculous amount of money and some of it can be mitigated,” he adds. “Too many people think it’s an unsolvable problem and it’s not.”
Turissini fears that the data breaches over the past two years are harvesting data. “The actors are harvesting this information and piecing it together to attack something else,” he explains. “People are at the point where they think it’s inevitable.”
Even if an individual changes passwords every couple of months but ends up using the same one two years later they are at risk, says Pamela Dingle, senior technical architect at Ping Identity. “People are being systematically logged and tracked and nothing that they have done in the past has evaporated,” she explains. “I don’t understand why people aren’t running to multi-factor authentication vendors to put another obstacle in the way.”
Still, Dingle says the great identity breach is not inevitable. “There won’t be an identity Pearl Harbor, but we need a Winston Churchill to realize we’re under a protracted siege and make some changes,” she says.
There won’t be an identity Pearl Harbor, but we need a Winston Churchill to realize we’re under a protracted siege and make some changes.
Catalysts for change
Part of the problem is that digital identity is daunting. In the corporate world, enterprises can force employees to comply with whatever authentication processes it deems necessary, says Jamie Cowper, senior director of business development and marketing and Nok Nok Labs. “In the consumer world the identity problem is a bit more complicated,” he says. “You can’t force customers to use them or they’ll go somewhere else where it’s easier to make a transaction.”
There are also issues with semantics. Some in the IT world don’t put identity under the cybersecurity umbrella, says Mary Ruddy, research director at the Gartner Group. “When people think cybersecurity they don’t think about identity,” she says. “But having strong authentication is a key piece of what needs to be done.”