User accounts is where companies are most vulnerable today. Few take proactive measures to ensure access control, though it is clear to both experts and cybertech companies that use of password management and multi-factor authentication is becoming more and more widespread.
In Denmark, the public sector has been quick to introduce multi-factor authentication in digital solutions. The same is not true of Danish companies, though, and more and more suffer attacks in the form of e.g. phishing and ransomware. These attacks are often a result of private as well as public companies’ poor control of staff’s digital identities.
According to Head of Section at DTU Compute Christian D. Jensen, the first part of the solution is proper authentication.
‘People’s passwords are not good enough. Another challenge is long passwords, where we often run out of ideas and memory’, he says.
Password management can help solve that, because it helps you keep track of various identities and to enter passwords automatically across websites and applications. The second buzzword right now is multi-factor authentication. We will get back to that.
One of the Danish companies that has specialised in access control is the consultancy ICY Security. Its staff of 45 has focussed exclusively on identify security since 2015.
‘Our clients often come to us after a ransomware attack that is the result of poor user control. Then our task is to clear up the mess and introduce a system that prevents future messes. The more time you spend preparing, the longer your security system will survive’, says Sales and Marketing Director of ICY Security Jesper Stener.
ICY Security sells and implements security software from the largest user control suppliers to large banks, the Agency for Governmental IT Services and smaller private companies, and from Jesper Stener’s point of view, the market is a blue ocean, as only around two per cent of Danish companies have sufficient user control.
ICY Security does not have a lot of competitors either – even though Christian D. Jensen from DTU Compute argues that we are starting to have difficulties with our access control models, that is, the way we grant access to the individual user.
20 years ago, your tasks determined your level of access. 10 years ago, it was your role in the organisation. Today, the trend is that your attributes determine your access level.
‘This calls for more sophisticated access control models that are better at distinguishing between individuals, because the individual member of staff has more attributes than roles’, the Head of Section explains.
One of the main problems with the old model is that people change roles, and the IT departments do not always keep up and adjust access levels accordingly.
‘This was a huge problem 10-20 years ago, and it still is to some degree. If my account is compromised, the attacker can use all my rights. So the fewer rights, the better’, Christian D. Jensen says.
Remove dead accounts
CEO of the cybersecurity company Liga Jens Nielsen agrees that this is indeed a widespread problem:
‘You have to remove so-called dead accounts – that is, accounts of former employees’, he explains.
Therefore, Liga, which was established back in 1998, focusses on user account security as a main aspect of a company’s cybersecurity. With a staff of 12 – nine in Denmark and three in Sweden – the company embraces users’ entire digital existence – from employment to retirement.
‘We think it is important and something everyone should focus attention on’, Jens Nielsen says. He argues that a lot of companies still rely on usernames and passwords, even though such systems have proven insufficient.
‘All recommendations point to multi-factor authentication’, he says about the new method that is based on something you are (username), something you know (password) and something you have (e.g. a chip card, an app or a key).
‘One of our main focusses is chip cards, which are super safe, because they are based on cryptography and are extremely difficult to hack’, the Director says. He believes it pays off to spend time and effort focussing on your security.
‘The entire issue of cybersecurity is characterised by hot air and the idea that all you have to do to be safe is get a box. But it is not that simple. You constantly have to be attentive and make sure your systems are robust’, Jens Nielsen argues. ‘We do not introduce grand changes, but we do raise the level of security’.
Better to be proactive than reactive
Both ICY Security and Liga have clients who do not come to them until it is almost too late, and that is even though we have never had this much focus on cybersecurity.
‘The market is to a large extent driven by companies who have suffered an attack or revision. I kind of miss those who just want to introduce more security before they are forced to do so’, says ICY Director Jesper Stener, and Jens Nielsen from Liga agrees: ’IT security should be a key management issue. Because it is a competitive parameter, and it is therefore important that companies take the time to deal with it’.