Information technology has spread its wings across many facets of life, be it personal, social or professional. Businesses and institutional outfits have become heavily dependent on smooth functioning of information systems and the network formed by connecting them with each other. Communication systems across the world, and even beyond the world, are also entirely dependent on information systems. Satellite communication cannot be imagined without leveraging modern IT systems. From launching a website on the internet to launching a satellite into the space, IT systems are making things possible. This level of dependence on information systems and the network that connects them, also brings a huge responsibility of protecting them from potential threats and destructive forces. Any breach in the device or network security can give access to the precious data it holds. All device and network security efforts take place to safeguard data and keep communication channels intact.
Data: the most valuable resource
Once, big oil companies like Aramco, Exxon Mobil, Shell, British Petroleum, etc. used to be considered driving force of economy. Now oil companies are no more in position to claim that title. Increasing inclination towards alternate energy and rise of electric vehicles have reduced dependence on fossil fuel and made oil a less attractive commodity. Corporations that hold the most user data are considered the most powerful. IT giants like Amazon, Alphabet (parent company of Google), Facebook, Microsoft and Apple have become the driving force of modern economy on the basis of amount of data they hold. Data has become what oil used to be.
As crude oil is taken through giant refineries to produce several products out of it, data is refined in data centres, which results in several products, services, predictions and business forecasts. Intelligence extracted out of this huge amount of data decides how current trend will have an impact on a product, service or economy in the future. Intelligence gathered out of data helps businesses up or down-scale production by analysing demand and trends. It makes a huge impact how corporations plan their strategy in uncertain and volatile times.
Like crude exploration and mining, data mining is also goes on day and night. Intelligent programs keep logging user activities and sending it to a remote server. Before the rise of smartphones, collection of user data was limited to PCs and portable computers that were connected to the internet. Now smartphones and tablets, unlike traditional computing devices, make use of many sensors like fingerprint sensor, accelerometer, gyro sensor, proximity sensor, compass, barometer, heart rate sensor, SpO2 sensor, etc., which produces sensor data that is used by many apps and services. These devices are also equipped with receivers of radio navigation systems like GPS, GLONASS, BDS, GALILEO, etc., which can pinpoint user location on a map. Data generated out of smartphones is way more valuable for corporations as it consists of sensor and location data along with online activity data, which provide a detailed interpretation of user activity.
How data drives businesses and economy?
Data out of online activity like what people doing online, what are they buying, what websites they are visiting, what are they searching, on which browser, and on which device and OS, means a lot for corporations to plan their strategy. Search an item on amazon on Google’s popular chrome browser, and that item will start following you on all online and app advertisements. This is a small example how search engines use your searches. Intelligent programs are at work 24×7 to collect user data and data centers are running day and night to make sense out of it.
Activity data is not used in commercial purposes like advertising or selling products only. With the rise of AI and machine learning, data generated by devices and systems can also be used by themselves to improve their ability. For example, driving a car with traditional manual driving mode also generates data which is perceived by driver’s senses and processed by his/her brains to learn and improve driving skills. This data cannot be used by other drivers or vehicles as there is no way to capture, share and leverage it. But when it comes to self-driving cars, data generated out of car sensors by capturing event taking place on the road, can be shared and used by other self-driving vehicles to improve their driving performance, decide better routes and save the vehicle from accidents.
Since it is evident that data is of crucial importance in any setup, it becomes vitally important that this data stays secure and only authorized users have access to it. Importance of data makes it a target of destructive forces. Since data resides on IT systems, cybercriminals take undue advantage of network and information systems vulnerabilities to steal and misuse the data.
Rising numbers of data security incidents
Data centric approach has given a new direction to the world economy; however, it has also raised concerns of data security. Earlier when data was stored and managed on paper, data security efforts mostly consisted of physical security like walls, fences, guards, locks, etc. But now threat from cyberspace has swept over the level of severity physical threats ever presented. Data security incidents are making it to news strips more often than ever. These incidents are getting more and more complex, sophisticated, organized and severe. These incidents do not honor political or jurisdictional boundaries of any country and can be carried out sitting anywhere in the world. In data security incidents, prevention is the best cure because in most cases, damage done is often irreversible. Once the incident takes place, it may take from days to months to restore operations, depending on the severity of the incident. The loss of profit due to ceased operations and damage to brand reputation, however, are hard to restore.
Businesses do invest in network and information systems security to protect their business critical data and information, however, information security is mostly an ignored aspect in most organizations and security of data often lags behind the level of threats present that time. It happens because cybercriminals keep looking for newer ways to breach data and network security and take advantage of known and unknown vulnerabilities in the system. WannaCry ransomware attack in year 2017 is a good example how IT departments of many business failed to apply patch to a known vulnerability in the operating systems, while the OS vendor had already released the patch to fix it. Many business and institutions fell victim to this attack. This ransomware took advantage of a known vulnerability in Microsoft Windows operating system. Microsoft, however, had already released a patch to fix this vulnerability; however, IT departments of most organizations did not take it seriously and did not install the patch. This ignorance resulted in malware attack and encrypted data of many systems and devices and it demanded ransom to provide decryption key. This ransomware was able to infect other windows devices on the same network once any device got the infection. This multiplied severity of the incident and situation got out of hands quickly. This incident paralyzed many organizations for several days.
Are passwords as secure as they used to be?
In today’s information security scenario, leaving network and device security entirely on passwords can be a precarious choice. Even if any current setup is going good so far on password based security, it is high time to revaluate choices made to implement network and PC security. Increasing numbers of information security incidents are more than enough to prove that password based approach is not as secure as it used to be. On a password based security, computers recognize passwords and not the user. Passwords are a just a set of letters and/or numbers, which can be shared, guessed and even stolen. IT systems will treat an unauthorized user as authorized one, when a right password presented to access the system, even if it is a stolen one. Anyone with a correct password can pose as an authorized user. This is where password based security fails as it cannot recognize user himself. It recognized what a user knows not what a user is. Other methods like PINs and security questions also have the same shortcomings as passwords. There are also possession based access control methods like tokens and smart cards, but they are even more vulnerable than the passwords.
According to Varizon’s Data Breach Investigation Report 2016, 63% of confirmed data breaches took place due to weak, default or stolen passwords. Another alarming statistic from the Verizon report is that 30% of phishing emails are opened and 12% of the links are clicked. Clicking on the link can result in more than just a stolen password – it could also be the means by which malware is installed on the system. Among the data security incidents, social engineering is also an increasing risk these days, in which a victim is engaged in human interaction and asked to provide sensitive data by offering a greater profit. Social engineering can also be used to trick people to share their passwords, PINs, OTPs, etc. Most social engineering exploits simply rely on people’s willingness to be helpful.
Device and network security is data security
Looking at the present level of threats to information security, device and equipment manufacturers have admitted that passwords are not enough. They are looking to go beyond password based security and offering integrated biometric recognition hardware with their devices. Biometric recognition has been successfully implemented for a number of use cases across industries. For logical access to equipments, devices, PCs and networks, biometric recognition can offer the level of security we are looking for. Among all available biometric recognition methods, fingerprint biometrics has proven to be the best method to implement on devices of different sizes and form factors. Be it a PC, ultra portables, tablets, smartphones or wearables, fingerprint recognition can be successfully embedded across a range of devices.
Fingerprint sensors have already made it to smartphones and are very popular among users. New devices with fingerprint sensors are flooding in the market. This trend is not limited only to high-end smartphones; low end devices are also flaunting fingerprint sensors in their spec sheet. According to the market intelligence firm counterpoint research, more than 1 billion smartphones are expected to ship with a fingerprint sensor in year 2018. These many devices are set to create a biometric ecosystem of integrated services as more and more software and app makers would like to leverage largely available biometric hardware.
It is not just hardware manufacturers that are trying to leverage fingerprint biometrics. Software manufactures are also developing their code in accordance, to make the best use of this little piece of hardware. System software manufacturers like Microsoft and Apple are adding biometric ability to their operating systems so that the OS can make the best use of the biometric hardware. Microsoft has deeply integrated biometric ability in its latest OS offering i.e. the Windows 10. Securing devices with fingerprint recognition further secures the network and the resources these devices access, as access is provided on the basis of “what a user it”. Fingerprint biometrics also offers a great solution for personal devices accessing corporate network. It helps implement an efficient BYOD policy, making sure that the entity seeking access to the network is what is says it is. This level of confidence in user identity is only possible with biometrics.
Organizations at enterprise level have a fairly complex IT infrastructure and resources that are simultaneously accessed by several users, devices and applications. Information and resources over a corporate network can be crucial for business continuity, and a breach may bring business operations to a complete halt. Frequent occurrence of data breaches and information security incidents is a wake-up call for business and corporations to re-evaluate their network and PC security efforts. Organizations with “it will not happen to us” mentality often ignore crucial data security aspects unless it actually happens to them. Once a malware is on a corporate network, it quickly infects other machines, paralyzing the whole network.
As Verizon’s Data Security Investigation Report 2016 suggests that weak and stolen passwords are reasons of a large portion of data security incidents, there is a need to revamp the password based security. Either by replacing it or by doubling it with biometrics. Ignoring cybersecurity aspects turned out to be the worst nightmare for many businesses and institutions in 2017. Failing to install an OS vulnerability patch resulted in ransomware attack that ceased operation and encrypted data. Identifying the need of the hour, manufacturers have started taking biometrics seriously and increasingly adding biometric recognition hardware in devices like PCs, laptops, ultra-portable computers, smartphones, and other computing equipments.