The Security Dialectic: Walls or Understanding?
By Robert Capps, VP of business development at NuData Security
According to a recent report from Forrester, CISOs got a larger piece of the IT pie in 2016, with security budgets accounting for a record 28% of IT budgets for organisations with over 1,000 employees. At the same time, board-level attention and consumers’ focus on privacy and security issues are coinciding to inch the CISO toward a position as one of the most important executives in the enterprise. While these upward trends might lead to optimism, they conceal significant changes occurring as companies shift IT spend. The focus is less on internal projects and more on customer-facing initiatives, and what Forrester calls the “business technology agenda (BT),” highlighting that CISOs who grasp these changes will have opportunities for better security and business. Gartner, on the other hand, predicts overall IT spending will be mostly flat, however there are re-adjustments on the IT mix to push digital alternatives and speed time to value.
NuData has found that business is increasingly involved with technology purchasing, and customer experience is becoming more prioritised. Most companies are looking for connected products and services that facilitate customer conversions and loyalty. What this means for most security teams, or even risk and fraud teams is that security options that promote revenue growth, improve customer experience and accelerate digital business, are being pushed to the top of the list. At the same time, the need for robust security is increasing.
Cybercrime rests for no one, CISO or otherwise. In the UK, there were an estimated 3.6 million cases of fraud and two million computer misuse offences in 2016 according to an official survey. The Crime Survey for England and Wales included online offences for the first time in its annual report. Separate figures recorded by police showed an 8% rise in offences overall (including ‘real world’ offences such as violent crimes), and a 39% increase in financial fraud (including online fraud). Could these increases be because more hackers are plying their trade? Are defences becoming difficult to improve? The answer is probably a bit of both or perhaps just better reporting, but that is not what’s important. What matters is what needs to be done to reverse the trend.
One thing is clear; there are a lot of dollars at stake when it comes to cybercrime. Juniper Research estimates that the global cost of data breaches will increase to $2.1 trillion by 2019. Frank on Fraud estimates that global bank fraud losses were $181 billion in 2016 and are expected to continue their upward climb for 2017. In the UK, the Cybersource 2016 UK eCommerce Fraud Report found that 50% of merchants are manually reviewing orders, and minimising operational costs are their highest concern.
And, it is not going to get better. Increasingly, mobile transactions are taking over other transaction sources in the card-not-present payment landscape. Trendforce reports that the worldwide mobile payment revenue in 2015 was $450 billion and is expected to surpass $1 trillion in 2019. If this trend continues, the estimated cumulative annual growth rate will be 36%, showing very high and steady growth until the next decade.
As digital markets continue to grow, so will online fraud, corruption, and cybercrime of all kinds, as the two are inseparably linked, particularly in e-commerce sectors. In Europe and the UK, according to the 2016 Internet Organised Crime Threat Index, cybercrime has gotten so bad that it “may have surpassed traditional crime”. The Global Fraud Attack Index (2016) found there were 34 attacks for every 1,000 transactions in Q1, and recent new research from NuData showed that there was an astonishing 400% increase in automated attacks during November and December 2016.
The quest for securing digital transactions becomes ever more complicated with cybercriminals employing increasingly sophisticated techniques to impersonate real customers. Physical and passive biometrics are being implemented to help authenticate real customers for online transactions. The continuous, non-intrusive authentication that passive biometrics offers allows organisations to verify their users through their natural online behaviours such as monitoring keystrokes, how they hold the device, type pressure, swipe, type speed and hundreds of device interactions, which are analysed in real-time to thwart would-be intruders and attacks. It’s a powerful advance that can add new depth and security to the organisation’s authentication framework, substantially reducing their risk.
Physical biometrics are another kind of biometric technology justifiably getting a lot of attention these days. Consumers physical biometric characteristics such as fingerprints, iris scans, and facial scans, are readily usable by third-parties in non-face-to-face transactions if the device isn’t compromised. They also form a very suitable and visible security layer that often reassures consumers. And, by another unique verification point into the process, it opens a lot of opportunity for accurate authentication. When you combine physical, behavioural and biometric verification with device and location, a highly reliable understanding of the user is possible.
However, physical biometrics can also inject friction into the authentication process that quickly loses its novelty, especially during the enrolment phase when the customer must manually input the biometric, often several times, into the appropriate device. Repetition can frustrate customers who can come to associate this pain with the brand.
Data breach news over the last three years has shown that most information security barriers can be can be overcome if a hacker is determined and spots a vulnerability in organisational defences, and once stolen data is available on the Dark Web, it’s likely to be compromised perpetually. This is certainly a risk for physical biometric data that can’t be altered after-the-fact, like a password can, so great care in storing this data must be undertaken by merchants. Even if such storage is sound, the endpoint device where the biometric data is consumed may be compromised and leaked at that stage. Any leak of such data could mean a lifetime of risk for the effected consumer.
Vying for a piece of the 28% of security spend this year isn’t easy. CISO’s understand that business needs, risk, and security controls must be appropriately balanced. Whether in the eCom space or the financial world, multi-factor authentication systems have the power to devalue the old password authentication system. Many decision makers still find it hard to shift their thinking from perimeter control, known as the “build better walls” mentality (and we will always need to do some of that), to adding in investigative approaches whereby knowledge about your customer forms the basis of whether you erect a barrier or not. Many security teams are unfamiliar with how to go about this and biometrics creates a perfect bridge by providing a technological understanding of customers physically and behaviourally.
Robert Staughton Lynd, a famous early American sociologist, said “Knowledge is power only if [we] know what facts not to bother with” and while knowing more about customers is a good thing, you must be able to decipher that knowledge, filter it, and know how and when to act on that insight. With organisations turning to identity verification to support increasingly complex, risk-laden modes of card-not-present transactions, the choices of multi-factor authentication points are ever-more important. Making the right choice means taking into consideration both the friction and risk exposure for consumers and the risk profile of your organisation.
About the author:
Robert Capps is the vice president of Business Development for NuData Security. He is a recognised technologist, thought leader and advisor with more than 20 years of experience in the design, management and protection of complex information systems – leveraging people, process and technology to counter cyber risks.
 “Computer misuse offences” is a catchall phrase including all cybercrime.