Cyberattacks are a massive problem for organizations today, and the threat is only growing larger. IBM data said the average cost of a data breach is $3.86 million, with U.S. companies experiencing an even higher average of $7.91 million.
Rising frustrations with passwords have churned up excitement over sophisticated technologies, like biometrics, to safeguard data. However, in the enterprise world, implementation of those tools is no easy feat. OneLogin Chief Technology Officer and Founder Thomas Pedersen recently told PYMNTS why overcoming corporate security's password hurdles doesn't come without its own headaches.
Promises among security technology providers to kill the password have been "exaggerated," he said, so the lackluster security measure sticks around.
"The problem with passwords is that we have so many applications, and people are barely capable of remembering one password," Pedersen added, noting that, for organizations using hundreds of applications, repeat passwords are common. Plus, professionals will often use paper or spreadsheets to keep track of those login credentials.
The reliance on passwords means those credentials become more of a security liability than protector, as cyberattackers attempt to infiltrate enterprise systems.
In one tactic, Pedersen explained, hackers can take the top-500 weakest (i.e., most common) passwords and check them against millions of accounts. In another, phishing scams will fraudulently request an employee login to Uber or LinkedIn to steal those credentials.
"It may not seem so risky to give up a LinkedIn credential," said Pedersen, "but people use their password for more than one thing."
A hacker may target an executive in the finance department with a phishing scam, someone who they know is a controller, with a higher level of access to company bank accounts or other financial data. A successful email campaign that steals the password of a company's Uber account could also compromise an organization's online banking credentials or accounting app login information.
Considering the risks: It's surprising that organizations remain so ill-prepared to mitigate the threat. Yet, according to Pedersen, most professionals are still not educated on how to spot a phishing attack. Furthermore, among OneLogin's own customer base, it's about a 50-50 split between organizations that use multi-factor authentication — now considered an essential standard of enterprise security — and those that don't.
He pointed to organizations' ongoing migration to the cloud as yet another trend opening up the enterprise to data security risks, a scenario that presents companies with more applications with which to repeat a password, as well as more data in the cloud — thus, leaving them open to infiltration.
On the other hand, another challenge businesses currently face is their inability to migrate away from legacy infrastructures that were not built for the modern age of security threats.
"The really scary thing is that there are so many companies that have really old software, and they either don't have the resources or budget to upgrade it," Pedersen said. "That's one area where you see these big breaches."
The security challenges don't stop there. Today, organizations are tasked with not only safeguarding corporate data from outside bad actors, but managing authentication and authorization of their own employees with different levels of access to various apps. Not every employee should be authorized to approve a multimillion-dollar payment, for example.
The rise of the application programming interface (API) ecosystem — as regulations like Open Banking in the U.K. create greater pressure for banks in the U.S. to open data to third-party FinTech firms — will introduce even more, less familiar challenges for enterprise security experts. As organizations migrate to the cloud and adopt more apps, cross-app integration will be essential for functionality. However, when a single-factor login process is all one needs to connect a third-party app to their bank account, managing data access can quickly get messy.
"These aggregators can be targets of attacks themselves," said Pederson, who added that the API ecosystem and its impact on corporate security is an area he's watching as it evolves. "API integrations are definitely a blind spot for many companies."
On the whole, cyberthreats continue to expand, and millions of dollars are on the line for businesses that fail to implement tactics like multi-factor authentication (MFA), instead relying on lackluster passwords to manage hundreds of account logins. While technology innovators have vowed to do away with passwords altogether and replace login processes with shiny biometric authentication tools, this change is likely to be slow, as organizations struggle to move beyond legacy infrastructures not built to support such security measures.
Unfortunately, despite the warnings, Pedersen said corporates thinking about data security are often like consumers thinking about insurance: they don't realize they need it until something bad happens.
"I'm constantly surprised by how many companies take a lot of risk," he said. "We have a lot of customers not even employing MFA. How can you not do that? A lot of companies need to wake up and take it seriously, because they're very exposed."