Editor’s Note: Welcome to our weekly Reality Check column where C-level executives and advisory firms from across the mobile industry share unique insights and experiences.
Every day, it seems there is another high-profile security breach in the news. These stories have only served to highlight the need to educate the public on the inadequacies of the security systems currently in general use. People have become comfortable using simple password combinations time and time again for different accounts. For far too long, these easy-to-remember passwords and lax security practices on connected devices have been what passes for mobile security. Given the increase in hacks and data theft, there is now a golden opportunity to move away from these insecure practices.
In order to take control of their digital assets, consumers must first understand that simply picking a pet’s name and adding a “1” to the end for a password or using a four-digit PIN based on their date of birth is not enough to secure the wealth of information they carry around in their pockets. A person’s digital identity is worth a significant amount to hackers and everyone needs to ensure that they take the maximum precautions available to counteract this security threat.
A recent consumer survey commissioned by Intercede in the U.K. and U.S. found that although people were concerned about the protection of their digital assets, many exhibited risky behavior including sharing passwords with friends, family members and even work colleagues. Many respondents said that they simply remembered their passwords, implying that they use quite basic combinations that are the same across many different accounts.
As people across the globe continue to integrate more and more of their lives online through their mobile devices, the traditional username and password are no longer adequate to protect the sensitive personal, financial and health data that people now access via smartphones and tablets. Indeed, the time has come for a shift forward on security on the governmental, industry and consumer level. With respect to consumers, better education is needed surrounding the enhanced security measures that, in many cases, are already being built into the latest mobile devices.
There is a clear demand for secure devices – in the survey 63% of American respondents were worried about the level of security on their mobile device and close to 52% considered the security features of a device among the most important aspects when purchasing a new handset. Despite the widespread security concerns, more than 20% of all respondents didn’t use any security to protect their digital identity, while 56% used only a pattern or passcode.
Very few used anything more sophisticated, despite recent high-profile security breaches highlighting the weaknesses of the username-password systems in common use.
The problem, quite simply, is that not enough people know what good security practice looks like. While 20 years ago a difficult-to-hack password was enough, this is no longer the case. Accurately verifying the identity of the person trying to gain access is the best protection against online crime toward personal assets such as banking and other financial services.
Alliances needed to drive mobile security
To address this gap in consumer knowledge and perception, a series of best-practice rules need to be decided and a structured program of education needs to be embarked on, but who will take the initiative?
There are so many stakeholders, all with different levels of expertise and priorities – from public sector organizations, governments and security forces, right through to those in the mobile and connected industries ecosystem. These diverse organizations need to work together to design the protocols and begin this long-overdue program of education.
At the highest levels of the U.S. government, identity is being seen as an increasingly important component of cybersecurity. The importance of better identity management was recently emphasized by Michael Daniel, special assistant to the president and the cybersecurity coordinator: “… hackers know that users frequently re-use the same password at multiple websites. This is just one of many reasons that the system of passwords as it exists today is hopelessly broken.”
Given the advances that have been made in identity management, these are no longer theoretical conversations, but practical and actionable ones that can have real-world implications, and can help improve everyone’s online security. Although the Federal government has taken the lead in emphasizing identity, there is also a need for the whole ecosystem to improve collaboration and set exacting standards for online security and identity management.
Everyone has a part to play in this. Those manufacturers that include sophisticated authentication tools on new devices need to increase awareness among customers that their security can be improved, in many cases, without the need of additional downloads or hardware. Where secure elements are available on devices, developers need to take full advantage of these facilities to create more secure applications, and government, regulatory bodies and law enforcement agencies need to ensure their education campaigns are simple and easy to understand.
Some markets and sectors have already introduced specific regulations and guidelines illustrating cybersecurity best practices. The U.S. government is leading the way in secure identity regulations with the FIPS 201 standard, which specifies the personal identity verification process for U.S. government employees and contractors. This established standard could easily be transposed into the greater security industry and provide the blueprint for other countries that are deciding the best methods of authentication for their employees and contractors.
The mobile device is the gateway to the Internet and, as such, has the potential to be a security asset or a security risk. Given the continued rise in mobile devices – as well as wearable technology and the “Internet of Things” gaining popularity – securing mobile devices is more important now than ever. By uniting industry, legislators and security bodies to create robust security procedures, we can ensure mobile devices protect – and don’t threaten – users data and identity.
