There are certain business outsourcing risks when companies decide to let another company take care of their business operations. When companies make a decision to outsource some of their services to an outsourcee, they have basically concluded that their companies are better off letting someone else do the job for them. Although their assumptions may be true when we look at specific benefits, it may not be true when we look at the entire picture.

Data protection and business risks of outsourcing business functions and services

There are sometimes good reasons to outsource which we will cover later, and companies may outsource some business operations such as customer service or call centers, certain aspects of their system security management specially if the outsourcee offers independence and state of the art technology, IT operations, marketing, etc. However, outsourcing decisions are sometimes based on myths and lack of awareness of the risks. A myth is a false belief and there are a few of them when it comes to outsourcing business operations.

Outsourcing Myths

Myth #1) We will save money – this is actually far from the truth when we look at the big and entire picture. What happens when you decide to bring the outsourced process or function back in-house one day? You will incur huge costs associated with hiring, training, and productivity, that is if your outsourcing contract allows you to easily reverse your past decision and, if the other company supports your decision since they have no incentive to cooperate.

Myth #2) It’s less headache for us – the reality is that when it comes to outsourcing, less is more because when  you have less control over the process, you have more problems and less flexibility to address those problems efficiently and effectively. Remember, when you outsource, you are at the mercy of the other company to solve your problems and manage your risks. The risk significantly increases when the outsourcing company directly deals with your customers and appears to be an extension of you in the marketplace.

Myth # 3) They have better skills – this may be true and is often the basis for outsourcing thinking that they can do a better job. But, it comes at a cost. Your company can also hire and retain the best skilled staff at a higher cost. Nothing is free and some skills like IT are even more expensive no matter who employs them.

Business Outsourcing Risks

Risk #1) Service Level Agreements or SLAs may not be clear enough – sometimes there is a lack of understanding regarding service agreements or responsibility assignments. Roles and procedures may also not be clear or properly defined and communicated. This can lead to a complete breakdown in the business operations initially and slow recovery in operations efficiency and effectiveness which can take months and years affecting productivity and morale which is another component of business outsourcing risks.

Risk #2) The outsourcing project may be poorly planned – one of the consequences of poor planning is fully trusting the outsourcee and letting knowledgeable employees leave the company before their knowledge is adequately transferred. This cost saving error ends up in service delivery delays in the short run and costing companies even more in the long run.

Risk #3) Lack of control over outsourcee staff – usually, firms have bad apples in their pool of employees for good reasons; to bring costs down and not be detected while doing that. When we have control over staff, we can tie their job retention to their job performance but not when the staff is an outsourcee employee who may also be overworked and engaged in serving other customers with or without your knowledge. Remember, the outsourcee objective is to make money by serving as many clients as possible. And when they have too many clients, they can take the risk of losing one client for poor services.

Risk #4) Contracts may not allow early and easy exit – can you imagine waking up one morning, realizing that your company has made the mistake of outsourcing some functions, and yet also realize that you can not easily reverse your decision while the service renewal contract is staring you in the face? If you discover early on that you made the wrong decision, you may be obligated to abide by the contract and even when the contract ends, it will be a huge undertaking to bring the task back in house depending on the scope which will require the cooperation of the outsourcee which will have yet another opportunity to squeeze in more money.   

Risk #5) Transition back to in-house is costly and can take time – remember the myth about saving money on labor cost when your company first decided to outsource? Now think again about bringing the outsourced functions back in house with the unimaginable cost of re-hiring skilled staff and training. That is if your company reputation is still good enough to attract past or new employees. Having an exit strategy is and should be part of the plan for managing business outsourcing risks.

Risk #6) You may be liable for data breach – if you are sharing personal and confidential data with the vendor as part of the outsourcing arrangement, the vendor may sell or use the data for other reasons, and, may not protect the data as well as necessary to comply with the regulations. If the vendor experiences a data breach, your company will be liable and suffer the consequences as noted in risk #7. To reduce the data security and compliance risks associate with business outsourcing, Henry Bagdasarian, founder of Identity Management Institute suggests that companies establish solid data protection SLAs with their vendors and require independent audit reports to confirm compliance with the SLAs and appropriate regulations.

Risk #7) Your company reputation may be at risk – depending on the type of function outsourced and its nature, the outsourcee can be viewed as an extension of your company which can either directly affect your image if they interact with your customers, or, reflect poorly on your outsourcing decision and planning if they don’t perform well.

On the bright side, outsourcing is not all that bad and it may even make sense in some cases. For example, outsourcing is a great option when the skills needed for the project are not immediately available in-house or the skills needed are just temporary, part time, or for a special project which means that you can easily change vendors or bring the function back in house if needed. Managing business outsourcing risks is critical from the start which includes a complete risk assessment and oversight of the vendor and the project.

Blockchain identity management is increasingly being adopted for validating identities through blockchain authentication, ensuring data privacy and integrity, and managing access. With the massive growth of online business and data comes the equally massive complexity of securing business transactions and system or data access. Cybercrime risks require industries to incorporate technical solutions to keep systems and data safe. One solution leading the field for cyber security and privacy is blockchain technology.

Blockchain identity management and authentication

Current identity and access management systems offer a few security and privacy weaknesses which a blockchain based technology can help solve. However, blockchain is new and may offer risks associated with sensitive data stored on blockchain public ledger.

Blockchain or Distributed Ledger Technology (DLT) in identity management helps control data in a decentralized manner. Traditionally, businesses use a centralized system for identity management which makes the database a honeypot for hackers. For example, the popular use of Lightweight Active Directory Protocol (LDAP) stores information in a database owned by a single organization.

Identity management with blockchain works in a different way. There is no centralized database, instead, information is stored over a peer-to-peer type environment, by adopting a decentralized framework. The data is stored immutably in publicly owned blocks over the network. This solution provides flexibility, security and privacy for data management with reliable authentication and integrity check.

The Small Business Innovation Research program, supported by the Small Business Administration describes blockchain as “a common, public ledger, which utilizes cryptographic mechanisms to verify transactions and information in a decentralized manner.” In this way, blockchain integrity is verifiable by businesses without relying on third parties to ensure trust.

The role of blockchain in identity management is to provide a means to verify identities, control access, and ensure the integrity the data and transactions. Everything stored in the database is publicly owned and immutable.

The future of blockchain identity management as a standard solution for cryptocurrency and other online transactions looks bright. The World Economic Forum reports that while banks spent $75 million to develop this technology in 2015, they spent closer to $400 million in 2019. This is because blockchain technology costs less to develop and implement than standard technologies, offers data integrity, and ensures data is not modified or manipulated by unauthorized persons. According to International Data Corporation (IDC), global blockchain spending will be around $19 billion by 2024 compared to $6.6bn in 2021 as reported in IDC’s Worldwide Blockchain Spending Guide forecasts.

Blockchain technology is in its infancy. There are clear signs that future business solutions for security and privacy will include blockchain technology. The question that remains is how long it will take to see its full potential. That said, blockchain does not come without challenges and will require time to mature. While blockchain offers a beneficial model to make identities portable, verifiable, secure and private, potential challenges remain to be addressed.

Projections show cybersecurity spending exceeding $133 billion by 2022, including spending on artificial intelligence and machine learning solutions. Many businesses use AI to assist in breach detection and prevention, but as the technology becomes more ubiquitous, hackers are turning the tables and deploying AI-powered attacks. If such sophisticated solutions can backfire, can enterprises really rely on AI for their security needs while mitigating artificial intelligence threats and security issues?

Artificial Intelligence Threats

A Few AI Statistics

According to Gartner, information security and risk management spending could be as much as $175.5 billion by 2023. Seventy-five percent of enterprises currently rely on AI-based solutions for network security, and 51% use AI as a “primary” threat detection option.

These numbers suggest increasing confidence in sophisticated cybersecurity solutions, but 22% of organizations still lack sufficient resources to respond when incidents occur. There remains a significant gap between the 62% of enterprises making the most of AI and exploring new ways to implement AI solutions and those with little or no solid grasp of how to properly implement the technology.

AI is Changing Cybersecurity (For Better or Worse)

Speed is where AI excels the most by surpassing the human capacity to detect and mitigate threats. Seventy-five percent of cybersecurity executives agree AI allows them to respond to breaches faster, and the technology has been found to speed up evaluations of “breach-worthy” vulnerabilities by 73%. Fifty-nine percent of cybersecurity professionals say AI streamlines the process of detecting and responding critical system weaknesses, and enterprises using the technology are able to find and fix such weaknesses 40% faster.

What does this mean for enterprise cybersecurity in practice?

With the rapidly evolving threat landscape, AI has become a necessity for 69% of enterprise executives. Sixty percent of cybersecurity professionals agree the technology is able to provide networks with “deeper security,” which can be a critical factor in separating enterprises affected by breaches from those able to avoid attacks.

Artificial intelligence shows significant potential for detecting fraudulent activity, malware and intrusions, as well as gauging the risk levels of login attempts. By making threat detection more sensitive and enabling nuanced behavior tracking, AI increases flexibility within identity and access management strategies. IT professionals can use the technology to create conditional rules and reduce friction for users with complex access requirements.

AI Can Backfire in the Hands of Hackers

Ironically, speed is also a major drawback of AI. Hackers are embracing the machine learning algorithms behind the technology’s success to create nuanced attacks personalized for specific individuals. Because AI can be “taught” with data sets, hackers can either create their own programs or manipulate existing systems for malicious purposes. Attacks executed with AI tend to be more successful, perhaps because the technology makes it easier to develop malware with the ability to evade even sophisticated threat detection. For example, pairing polymorphic malware with AI allows these programs to change their code rapidly, making them almost invulnerable to existing cybersecurity systems.

Hackers may also modify enterprise machine learning algorithms by altering inputs to change the way the system recognizes specific elements. This technique can be used to make the system overlook threats and allow hackers to bypass identity and access management controls.

System behaviors are potential targets, as well; with the right modifications, hackers can change the way devices respond or communicate, which may result in dangerous outcomes. Once system information has been changed, it can be very difficult to correct problems and return the network to its original state.

In light of these threats, it’s important for enterprise executives and IT professionals to resist the temptation to be complacent. Although AI is becoming more autonomous, it is by no means a replacement for human diligence. Systems require correct setup and management from the start, beginning with extensive data sets to prevent false positives and continuing with consistent monitoring and updates to maintain strong security.

Avoiding the Pitfalls of AI Technology

No single security solution, including AI, is enough to protect enterprise networks on its own. In addition to developing robust cybersecurity policies for comprehensive protection, enterprises must:

• Promote cybersecurity awareness through ongoing employee education
• Prioritize data protection
• Employ IT professionals with an awareness and understanding of emerging threats
• Use high-quality data sets when training AI systems
• Automate key security processes for faster detection and response
• Go beyond compliance to create tailored security solutions
• Perform routine security audits and penetration testing
• Upgrade software and hardware as needed
• Amend security policies to address new threats

Identity and access management certifications

Like all security solutions, artificial intelligence has its limitations. Enterprises interested in incorporating the technology into cybersecurity frameworks must assess their needs and design multifaceted strategies to address both known and potential threats. Instead of seeing AI as the ultimate solution to all cybersecurity problems, it’s necessary to acknowledge potential drawbacks and implement the technology as part of a dynamic and adaptable security solution.

In 2016, the average enterprise had to manage access for 89 vendors. The number climbed to 181 vendors in 2017 and has continued to increase as more industries switch to cloud-based software and services. With this expansion comes an increased breach risk, which requires enterprises to go beyond the borders of their internal networks to address third party access risks and implement strict security procedures for external users.

The Rise and Risk of Third-Party Access

Eighty-one percent of IT professionals reported seeing an increase in third-party enterprise network access between 2015 and 2017, but only 34% of companies keep detailed inventories of the vendors with access to their networks. This low level of visibility may stem from a combination of poor third-party risk management and an unnaturally high level of trust. Two-thirds of enterprise IT professionals admit to trusting vendors more than they should, and just 35% would rate their third-party risk management strategies as “highly effective.”

Assuming vendor access is safe on the basis of familiarity with or the reputation of a vendor can be a mistake with far-reaching consequences. Fifty-eight percent of organizations reported breaches related to vendor access in 2019, pointing to a need for stronger access management policies. While an otherwise trustworthy vendor is unlikely to perform malicious actions while logged into an enterprise system, vulnerabilities in the same vendor’s network or software or human errors can act as a gateway for hackers. If the vendor’s system is breached, hackers could potentially use accounts to access all enterprises to which the vendor connects.

Managing and Mitigating Vendor Risk

Since 63% of businesses lack the resources for appropriate management of vendor relationships, inherited vulnerabilities remain an ongoing challenge. Risk reduction hinges on awareness and visibility. Enterprises need to know who has access to their networks, as well as when and how connections are being made.

Those with existing third-party relationships must take inventory of all vendors and review third-party security policies. This should include assessments of how data is stored and secured, as well as careful evaluation of breach prevention strategies. Following the same procedure before allowing access for new vendors can prevent inherited vulnerabilities from becoming breach risks.

Limitations on vendor access, including which devices may be used, provide additional security. Third parties should only be able to access the information they need to perform essential services, and all devices used should be approved in advance by the enterprise with ownership of the network. Because some vendors may pose higher risks than others, a rules-based risk assessment can be useful in determining the amount of oversight required to minimize the possibility of a breach.

Viewing vendors as users brings them under the umbrella of internal security policies, including onboarding and offboarding procedures. Each vendor should be subject to consistent monitoring for unusual behavior patterns during network sessions and denied access should any red flags arise. In the event a vulnerability is discovered on the vendor’s end, it’s up to the enterprise to point it out and request a fix. If a vendor refuses to correct the problem or chooses to remain ignorant of the potential consequences, it may be necessary to revoke all access or find another provider.

Proper governance ensures such third-party access rules are enforced. Enterprises with strong governance models are better able to evaluate, track, approve and monitor third parties and respond to risks in real time than the 44% of companies taking an “all or nothing” approach to vendor access.

Establishing Third-Party Security Guidelines

When enterprises assume external access poses less of a risk because vendors have their own security policies, they lack the knowledge and foresight required to maintain secure networks. Rather than relying on questionable or inadequate vendor security, enterprise IT professionals must take the initiative and create solid policies to govern vendor access.

Polices should include the following:

  • Vendor and third party access approval
  • Level of access allowed based on vendor needs
  • How access is managed and controlled
  • Policy review criteria for vendor access management including management of privileged accounts
  • Provision for continual risk evaluation
  • Routine review of vendors’ security policies and practices

Consistent enforcement of access guidelines is necessary to protect against third-party vulnerabilities and preserve the integrity of enterprise networks. Compiling policies into a document provides a straightforward checklist for new vendor evaluation and existing vendor monitoring, which is essential in a digital environment where new threats continue to emerge.

Identity and access management certifications

The complex interconnectivity between enterprises and vendors requires diligence and discernment on the part of IT professionals. Because enterprises can’t operate efficiently without support from third parties, it’s essential to establish clear policies and enforce access limitations while continually monitoring network activity. Making vendor boundaries a security priority ensures safer access for all network users and protects enterprises from hackers seeking to exploit third-party vulnerabilities.

Standard authentication methods are fraught with security risks and vulnerabilities. Even protocols with the highest perceived security levels such as multi-factor authentication and blockchain verification can become compromised, allowing hackers to infiltrate networks and access sensitive data.

Adaptive Authentication is a risk based authentication which determines the appropriate combination of authentication methods to grant entities access based on various risk factors.

Enterprises need better solutions for verifying identities and controlling access to complex systems. Adaptive authentication may provide an answer to the continued challenge of balancing strong security with user experience to prevent breach incidents while supporting productivity.

Granting Access Based on Risk

Because adaptive authentication allows users access to networks and resources based on risk levels, it’s sometimes referred to as risk-based authentication, or RBA. Assessments of risk levels are based on two groups of factors:

• Static access requirements and policies set for specific user types
• Detailed behavioral information for each individual user or network entity

Authentication may be granted using either approach on its own, but a combination provides the most dynamic option for enterprises seeking to improve security.

Behavioral data is monitored and collected using technology known as User and Entity Behavior Analytics. This is an updated version of User Behavior Analytics and includes not only human users but also devices and servers. UEBA builds profiles of entities’ behaviors in a cloud environment and uses machine learning to continue compiling an increasingly detailed view of each user.

Such comprehensive information allows the system to grant or deny access based on more than just login credentials. Profiles include granular data regarding access behaviors, such as roles, registered devices, normal login times and the distance between current and historical login locations. The more these factors deviate from normal behavior during a session, the higher the perceived level of risk associated with granting access to a user or entity.

Basics of Adaptive Authentication

In practice, adaptive authentication combines static access control rules with continuous evaluation of behavioral characteristics. During implementation, IT teams set basic access management rules based on user types and roles to dictate which resources can be accessed with basic login credentials. Beyond this point, artificial intelligence and machine learning take over to determine whether further authenticating factors are required.

Anomalies in behaviors may trigger a prompt for further authentication, such as inputting a code sent to another registered device or providing a biometric identifier. Logging in with an unrecognized device may require device registration or confirmation the device can be trusted. Too much deviation from recognized behaviors results in users being shut out of the system or application they’re trying to access.

Identity and access management teams are tasked with dictating how adaptive systems respond based on different risk levels, which are assigned “risk scores.” Reaching a particular risk score triggers the appropriate predetermined action to protect the system from unauthorized access. A hacker attempting to use stolen credentials or a stolen device to infiltrate a network may not be able to gain access even at the most basic level if the adaptive system detects a significant difference in login location or time.

Should a hacker successfully enter the system, he or she would need to be able to mimic every behavior of the real owner of the credentials in order for the session to continue. Since attributes like keystroke patterns are nearly impossible to emulate, there’s little chance a malicious third party could do much damage before being locked out.

Why and When Businesses Should Switch

Is adaptive authentication the right solution for every enterprise? Given the amount of data many organizations collect, transfer and store, the need for stronger access security is clear. However, an adaptive approach may be particularly appropriate if:

• Current “one-size-fits-all” authentication methods have become insufficient
• It’s becoming difficult to maintain proper security levels for each user and entity type within the network
• Increased speed and convenience would improve business success
• Poor user experience is impacting efficiency and profitability
• Increasing workflow complexity requires smoother transitions between applications or network environments
• The mobile workforce is growing in size
• Bring-your-own-device policies necessitate more dynamic device authentication protocols

For implementation to succeed, adaptive models must have enough information to form comprehensive user profiles. Too little information can increase incidences of false positives, which has undesirable consequences for both efficiency and user experience and burdens the IT department with superfluous security alerts. A successful adaptive authentication framework utilizes a combination of static access rules and detailed records of user and entity behavior to predict risk levels and automate security responses.

Upgrading to smarter authentication methods is necessary to keep up with the increasing complexity of modern cybersecurity threats. Adaptive authentication provides a flexible option for enterprises seeking scalable access management solutions but should be evaluated for efficacy on an ongoing basis.

Identity and access management certifications

Through partnerships between IT professionals and cybersecurity experts, enterprises can implement and deploy adaptive authentication solutions to strengthen existing identity management protocols and protect against emerging threats.

What can businesses, IT teams and cybersecurity professionals learn from some of the biggest breach incidents in 2019? What will identity management look like in 2020? It’s time to kick off the new year by taking stock of the cybersecurity landscape and preparing for new challenges.

Biggest Data Breaches of 2019: A Look Back

Breach incidents increased 33% in 2019 over the previous year to a total of 5,183 events and 7.9 billion exposed records. Sensitive data was a prime target. Hackers honed in on Social Security numbers, passport numbers, bank account information, medical records and similar identifying information.

Many of the largest breaches of 2019 hit well-known companies and social networks, including:

• Facebook and Instagram – Hundreds of millions of passwords compromised when stored as plain text
• Marriott – Up to 383 million guest records
• Zynga, producers of Words with Friends – 218 million player accounts, including email addresses, names and login details
• Capital One – 100 million credit card applications, 140,000 Social Security numbers, 80,000 bank account numbers and additional personal data
• Houzz – 48.9 million customers hacked
• American Medical Collection Agency – Data of over 20 million patients hacked
• Adobe Creative Cloud – 7.5 million customer records exposed in an unsecured database

The sheer magnitude of these breaches highlights the critical importance of securing business data and verifying the security practices of third-party service providers. Performing security audits to identify loopholes and vulnerabilities in complex business networks provides a safeguard against the growing cost of breaches, which has increased 12% over the past five years to $3.92 million per incident.

Identity Management Predictions for a New Decade

As occurrences and costs of breaches rise, businesses must redirect identity and access management efforts to better verify users, not just credentials. IAM in 2020 will require more detailed data collection and a combination of authentication methods to create complete pictures of users, how they access networks and what they do during sessions.

Collecting and storing more data points allows for contextual access control, which mixes strong authenticators like biometrics with other details, including networks, access locations and device types. Taking a contextual approach has the potential to allow businesses to move from single sign-on models to zero sign-on, in which users enter credentials only once and behavioral data is used for continual identity verification.

The shift to ZSO could remove the last bit of friction between users and networks. Current bring-your-own-identity models are convenient but can suffer from security issues if third parties issuing and managing identities fail to do their due diligence in addressing vulnerabilities. As access domains expand, users will require more self-service options, which could create additional security issues unless businesses begin to adopt strategic technology-based authentication methods.

Privileged accounts remain prime targets for hackers and big risks for businesses. Adaptive trust models may provide better access management of users with privileged credentials, as such models are designed to adapt to fluctuating risk levels. By controlling network access using behavioral data, it’s possible to identify unusual behaviors and prevent hackers from infiltrating networks. A hacker using stolen credentials can’t mimic every habit of the real user and will be locked out when behaviors deviate from data on file.

Combining new approaches to IAM with improvements in user and data tracking will allow businesses to locate and fix network vulnerabilities going into 2020 and continue to improve access control as the threat landscape changes.

Cybersecurity in 2020: Predictions and Trends

Cybersecurity experts predict continued changes and challenges in the coming year, including several trends with the potential to significantly impact how business and organizations approach security:

• Moving toward more cloud-based software-as-a-service applications will necessitate improved security measures among businesses and providers
• The ongoing threat and increasing sophistication of phishing attacks will require continued monitoring and education to prevent breaches
• Hackers will move from using stolen credentials to hijacking user identities in an attempt to infiltrate systems
• Businesses and organizations will require personalized authentication protocols to support increasingly dynamic cybersecurity needs
• Developers will begin focusing on edge computing applications to expand cloud environments and improve edge device utilization
• Improved controls will be required to prevent smart device and voice assistant hijacking

In light of these predictions, businesses should be prepared to spend more on cybersecurity in the coming year. It’s also likely new user data privacy laws and regulations will be implemented, thus requiring a greater level of diligence and accountability on the part of organizations handling sensitive information.

Identity and access management certifications

To kick off 2020 with a strong approach to identity management and cybersecurity, businesses should look for qualified experts with whom to partner and begin addressing vulnerabilities within networks, systems and protocols. By fixing issues with the potential to leave network environments open to attack, companies can move forward and face new cybersecurity challenges with confidence.

Identity Management Institute has introduced and defined the term Digital Identity Transformation (DIT) as the “holistic assessment and improvement of business processes, people, and technologies to achieve excellence in identity

With the number of IoT connected devices projected to grow from 7.6 billion to 24.1 billion, with revenue more than tripling from USD465 billion to over USD1.5 trillion between 2019 and 2030, there’s a growing need for managing IAM challenges in the modern IoT landscape to secure systems. Users now interact with internet of things (IoT) devices in every area of life, and each point of connectivity presents another challenge for cybersecurity professionals. To implement appropriate security measures, it’s necessary to examine the various aspects of the current digital landscape.

Smart Home Security Challenges

The number of smart homes in North America will grow to 73 million by 2021, suggesting a continuing shift toward reliance on digital technology and automation for daily task management. A smarter home, however, doesn’t automatically mean smarter security. Millions of devices collect data every day, including information about personal habits and routines, which could give hackers all they need to appropriate users’ identities.

Each device in a home is a possible entry point for an attack, yet many devices fail to offer appropriate security. The innocuous nature of small devices, such as wireless doorbells and garage door openers, makes them prime targets for enterprising cybercriminals, and devices controlled via apps and computer interfaces are similarly vulnerable. In 2017, the average IoT device was attacked once every two minutes during times of peak activity, suggesting hackers are taking active approach to infiltrate smart homes and obtain login credentials and personal information.

Securing Smart Buildings

Smart technologies are bridging the gaps between critical systems in public buildings. Managed separately in the past, services like HVAC, power and physical access control can now be handled through a single building automation system (BAS). As of early 2019, 35,000 such systems were already connected to public internet around the world, giving rise to new security concerns.

Although a BAS can provide numerous benefits for building managers, the data collected by these systems can also be leveraged to launch attacks. Tools like Shodan, dubbed “Google for the internet of things,” can point hackers to vulnerabilities in smart building systems, allowing for the introduction of malware or the complete takeover of essential functions. Hackers with access to smart buildings have the power to cut off utilities or hold the entire system for ransom. Because institutions like health care facilities may rely on smart systems to manage infrastructure, such a takeover could be devastating.

Cybersecurity in Smart Cities

The concept of a smart city is no longer as futuristic as it once seemed. Many people already spend their days surrounded by sensors and IoT devices in public places, and an estimated 70% of the global population will live in connected cities by 2050.

Smart homes and buildings are just part of the equation. Smart traffic lights, street lights, gunshot sensors and even waste management devices are in use around the world, and many of the cars traveling city streets also contain connected sensors or devices. While this growing web of connectivity has great potential to improve safety and efficiency, it also introduces an extensive new threat landscape. The potential for compromise exists in all smart city devices and systems, which could allow hackers to cripple essential emergency services or shut down entire city sectors.

To further complicate security, smart city devices have much longer life cycles than other smart devices and require ongoing management to ensure they remain up to date. An attack on a single vulnerable device could lead to the compromise of the entire system and put the city’s population at risk.

Where Does Identity Management Come In?

Every interaction within a smart home, building or city environment requires authentication to confirm the identity of the person or device initiating the request. The security of such systems is tied to these digital identities, which means identity and access management (IAM) must be an integral part of all devices and networks to minimize the risk of attack. Stolen credentials can not only compromise the devices or systems to which they allow access but also allow hackers to obtain data from apparently unrelated areas of the network.

Moving toward unified digital identities will support seamless interactions with smart home, building and city devices by allowing users to digitize important identity information, such as driver’s licenses and bank account numbers. However, until such unification is achieved, multiple forms of authentication are required for secure network access, particularly remote requests. Producers and providers of smart devices and services will need to shift focus to developing stronger, more reliable security measures to support the growing reliance on IoT in all areas of society.

Identity and access management certifications

As IoT adoption continues to increase, cybersecurity professionals must prepare to meet the challenge of protecting wide networks of devices and the data they collect. Threat awareness and prevention are critical focus areas, and digital identity holds the key to managing the numerous interactions necessary for the success of these complex systems.

Since 63% of confirmed data breaches can be linked to weak, default or stolen passwords, the time has come for businesses to seek more reliable authentication methods. The increasing complexity of the cybersecurity landscape has rendered traditional passwords all but useless, and a nuanced approach to access management is necessary to protect against emerging threats.

different authentication methods and options for accessing systems

Confirming Identity with Context

Contextual authentication takes users’ habits into account when determining whether to grant or deny access. It’s rare for users to deviate from their routines, so behavior patterns tend to be predictable. These patterns provide the context in which it’s “safe” for the system to authorize login attempts. Hackers using stolen credentials will find it difficult to replicate the exact circumstances under which users access their accounts, and contextual authentication enables flagging of unusual behaviors.

High numbers of false positives may be returned with this authentication method if contextual details are lacking. The system can “learn” new patterns over time, but providing comprehensive user profiles during implementation prevents the IT department from being swamped with alerts. When given enough information, contextual authentication monitors users’ sessions in the background and prompts for additional authenticating factors only when deviant behavioral or circumstantial factors are detected.

Adapting with Risk Evaluation

Evaluating risk levels is a key component of contextual authentication and can be invaluable in network environments where different degrees of security are required in common workflows. By taking into account the likelihood a system will be compromised, this authentication method is able to grant access based on the risk involved in specific situations. Circumstances are evaluated and given risk “scores,” which the system uses to determine whether additional credentials are required before allowing users to proceed.

The dynamic nature of a risk-based authentication model makes it possible for systems to adapt to context, evaluate individual access requests and respond appropriately. Businesses can integrate other authentication methods, such as biometrics or one-time passwords (OTPs), to provide extra layers of security. A properly configured system handles the majority of potential threats on its own and doesn’t alert the IT department unless it encounters a serious breach attempt requiring human intervention.

Pinpointing Users with Geolocation

Geolocation provides a significant amount of information about the owner of a device, which can serve as confirmation of identity to authorize a transaction. Businesses may use geolocation to prevent hackers from making purchases using stolen credentials by comparing a user’s delivery address to his or her physical location when placing an order. Geolocation can also detect significant deviations from a user’s normal login location or determine if an authenticating device is in the same location as the individual requesting system access.

The use of geolocation allows for granular access control in organizations handling highly sensitive information. A business may, for example, restrict its employees from logging onto the network only from within specific office locations. This ensures information is never shared over connections business can’t monitor, such as unsecured public Wi-Fi. Access rules may be adjusted to include other areas when employees are traveling or businesses expand into additional locations.

Geolocation isn’t infallible. It requires a strong cellular signal or Wi-Fi connection to work as intended and is no longer a viable authentication method if a device is stolen along with a user’s access credentials or a customer’s credit cards. However, it can provide valuable information when used as part of a broader contextual authentication strategy.

Authenticating with Apps

Equipping users’ devices with authentication apps eliminates the risks of using text messages for two-factor authentication (2FA) and mutli-factor authentication (MFA). Text messages can be hijacked with a SIM attack, in which a hacker diverts a user’s cell phone number to his or her own SIM card. All information meant for the user is then received by the hacker, including authentication codes, PINs and OTPs sent via text messages.

Authentication apps link to users’ accounts and provide unique codes whenever a change in context is detected, such as a login from a new device or an access request made from a remote location. Because the apps operate independently of Wi-Fi and cellular connections, the time-sensitive codes are always available for use.

When hackers attempt to gain account access with stolen credentials, they’re prompted to enter a code from the app. Without the associated device, the login attempt fails. Some apps allow for additional protections, such as PINs or passwords, to prevent hackers from obtaining codes on stolen devices.

Identity and access management certifications

These authentication methods give businesses several options for securing networks against infiltration. Building stronger authentication into existing access management policies reduces risk and provides the agility needed to adapt to modern security challenges. IT teams should evaluate current authentication methods to determine where vulnerabilities exist and implement appropriate controls to prevent attacks.

In order to manage cyber and data security risks, organizations assign a qualified person tasked with creating and maintaining a security program which includes policies, standards and guidelines. A security policy is a high level security statement that dictates how a particular security risk should be handled throughout the organization such as “all devices must be encrypted” while standards require the use of acceptable methods and tools for implementing and enforcing the policy such as the use of “Advanced Encryption Standard (AES) 256” while guidelines offer additional information.

Managing information security is one of the highest priorities in many organizations, especially those operating under heavy regulatory mandates and requirements. As we all know, information leakage and data breach is a high risk that can negatively affect organizations’ reputation and financials. Organizations that experience a personal and private data breach can expect to face loss of customers, industry trust and credibility, money, competitive advantage, and increased regulatory scrutiny.

It has been acknowledged that some executives and members of the management team may override information security policies (and let other employees violate the policies) by asking the CISO for a special treatment because the policy is a burden to their productivity and a bunch of other reasons.  

A security policy override may come in a various forms. If the violator feels powerful in the company and knows that his or her wishes can not be rejected, the person will make a formal request to bypass the security policies at will. Other times, the person may just ignore the security mandates and violate the security policies without notifying the CISO as they might feel it’s a waste of time, the policy does not apply to them, or the request may be rejected and that they can get away with it when detected because of their powerful position.

To be fair, some executives may abuse their power and override security controls because either they don’t even know that their actions are in violation of security policies or they are not fully aware of the consequences of their security violations and how their actions may pose a risk to the company. As mentioned, they might just ignore the security policies because they are busy or even worse they might be planning to commit a fraud.

To deal with security violations, strong detection controls must be in place and communicated widely to make sure everyone knows that they are being watched and that there are serious consequences for violating the security policies. That said, detecting security violations can be a daunting job and sometimes impossible as the violators may be highly technical who can clear their tracks after they achieve their goals. Also, when a security violation is detected whether proactively or during unrelated audits, usually nothing happens if there is no Board and executive committee support to deal with such violations. Therefore, it is extremely important that the security program includes provisions for dealing with the violators and that the provisions are approved and supported at the highest levels of the executive board.

Sadly enough, the CEO and other high ranking officials have other business priorities that neglect security until a security breach occurs and it is then and only then when they make decisions within minutes to improve security which they did not make before the breach after dozens of business cases to explain the risk.

Certified in Data Protection
Apply for data protection certification – online study guide and exam

In conclusion, executives and management team members like all other employees should not be exempt from following any of the company’s security policies and procedures in order to ensure continued protection of company assets including confidential information.