Does Cost of Security Put Your Organization at Risk?

Jonathan Craymer
If you were buying a car today, would you try to order it without rear seat belts to shave a bit off the price? Similarly, if you were purchasing a machine for your company that normally comes with a safety guard, would you try to economize by asking the seller to take it off to cut the cost?

Of course you wouldn't. So why, in an age when the security of company data is so vital, is it almost standard practice for enterprises to only provide secure two-factor logging-in for a small part of the work force?

A number of experts seem to agree that the norm for many enterprises is to issue only 5-10 percent with tokens. Certainly one local authority I know of has 20,000 on staff and only 500 of them get two-factor authentication. Presumably the remainder of the staff is left to muddle through with nothing more than one-factor, i.e., standard passwords, with their associated security vulnerabilities.

Bearing in mind the potential 'cost' of data leaks today - in terms of lost business, industrial espionage and advantage being gained by competitors, loss of reputation, pillorying in the media, etc. - to economize on something of such importance doesn't make a lot of sense. So why is partial use of two-factor authentication the 'norm' in so many workplaces?

Perhaps it's time we all looked afresh at what we're trying to achieve here.

Unless we've all been living on a distant planet for the last few years, it should be obvious by now that the once-trusted password is now no longer fit for purpose. Hackers have so many ways of compromising or cracking it. So we've been sold on the idea that one-time passwords are a better alternative. Well over 20 years ago when the hardware token arrived on the scene from current market leader RSA, we all started to think that having a key fob in our pockets and a VPN set up on our computers would keep everything we hold dear safe from the bad guys.

Leaving aside the recent RSA "hack" and fears about the security of tokens that may have stirred up, is the use of expensive pieces of hardware to safeguard logins for a minority of staff in an organization the best use of resources? Clearly it creates an imbalance that doesn't seem very logical. Surely it would be better to use something cheaper, which could be rolled out to everyone.

Add Comment      Leave a comment on this blog post
May 25, 2011 4:05 AM JSSO CTO JSSO CTO  says:
Check out the cloud-hosted service offered by Duo Security. They support mobile apps, SMS, phone calls, as well as tokens, and it's pay-as-you-go, pretty much the "ideal" solution you described! The best part is that users set themselves up, nothing for an administrator to do. So glad to get off of RSA! Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.