The swathes of high-profile security breaches in recent months have only served to highlight the need to educate the public on the inadequacies of the security systems currently in general use. For too long people have relied on simple to remember PINs and passwords and used lax security practices on their connected devices.
In order to empower people to take control of their digital assets, consumers must first understand that simply picking a pet’s name and adding a 1 to the end for a password or using a four digit PIN based on their date of birth is not enough to secure the wealth of information they carry around in their pockets. A person’s digital identity is worth a significant amount to the right hackers and everyone needs to ensure they take the maximum precautions available to counteract this security threat.
A recent consumer survey commissioned by Intercede in the UK and US found that although people were concerned about the protection of their digital assets, many took on risky procedures including sharing passwords with friends, family members and even work colleagues. Many respondents remembered passwords using just their memory, implying these are quite basic combinations that were used as credentials for many different websites.
There is clear demand for secure devices – in the survey 54% of respondents were worried about the level of security on their device and 31% considered the security features of a device among the most important aspects when purchasing a new handset. Despite the concern 26% didn’t use any security to protect their digital identity, while 53% used only a pattern or passcode.
Very few used anything more sophisticated, despite recent high-profile security breaches highlighting the weaknesses of the username-password authentication systems in common use.
The problem, quite simply, is that not enough people know what good security practice looks like. While 20 years ago perhaps a difficult to hack password was enough, this is no longer the case. Accurately verifying the identity of the person trying to access websites is the best protection against online crime to personal assets such as banking websites and other financial services.
To address this gap in consumer knowledge and perception, a series of best practice rules need to be decided and a structured programme of education needs to be embarked on, but who will take the initiative?
There are so many stakeholders all with different levels of expertise and priorities – from public sector organisations, governments and security forces, right through to those in the mobile and connected industries eco-system. These diverse organisations need to work together to design the protocols and begin this long-overdue programme of education.
Earlier this month, the UK government announced children would be taught the basics of coding at school, so why not increase the level of “Internet education’ by including protection of online identity? Engaging the next generation with the issue of online security is a great starting point to open up the debate more widely around best practice.
As well as embarking on an extensive programme of education, there is also need for the whole ecosystem to improve collaboration, to set exacting standards for online security and identity management.
Everyone has a part to play in this, those manufacturers who include sophisticated authentication tools on new devices need to increase awareness amongst customers. Where secure elements are available on devices, developers need to take full advantage of these facilities and government, regulatory bodies and law enforcement agencies need to ensure their education campaigns are simple and easy to understand.
Some markets and sectors have already introduced specific regulations and guidelines illustrating the cyber security best practice. The US government is leading the way in identity security regulations with FIPS standard 201, which specifies the personal identity verification standards for US government employees and contractors. These standards, now in place, could easily be transposed into the greater security industry and provide the blueprint for other countries who are deciding the best methods of authentication for their employees and contractors.
The mobile device is the gateway to the Internet and as such, it has the potential to be a security asset or a security risk. By uniting industry, legislators and security bodies to create robust security procedures, we can ensure it is the former not the latter.