Can biometrics protect SMEs from data breaches?
In recent years, high-profile attacks and data breaches have regularly made the news, boosting SME (small to medium-sized enterprise) awareness around the persistent threats to digital security.
As a result, more secure measures of authentication are being considered. Using systems like Touch ID and Face ID on smartphones, biometric scanning has become something that is commonplace for many smartphone users. The IBM Future of Identity Study 2018 revealed that while many people are prioritizing security over convenience when logging in, millennials are keen to leave passwords behind.
75 percent of this age group are comfortable using biometrics today and take less care with passwords than older generations. With millennials fast becoming the workforce majority, it is important that businesses are preparing to update their security setup sooner rather than later.
But for all their popularity, how secure are biometrics? Are they really a modern solution to passwords, a traditional security blind spot, or a new form of threat that needs to be managed?
One of the largest causes of data breaches is human error. An excellent example of this is passwords. With the need for numerous unique, complex passwords for every type of account, it is understandable that many people overlook security risks in favor of convenience by re-using or simplifying their passwords. However, as 81 percent of hacking-related breaches are thought to use stolen or weak passwords, another solution has to be found that improves the balance between security and convenience.
The combination of an appetite for change and the reduction of risks from weak passwords resulted in virtualization company Citrix making the bold prediction that 2018 would see the death of the password. While the actual death of the password will not be sudden, it is possible it has already begun. Currently, biometrics is being heralded as the next big step in security solutions, as the ability to sign in with a fingerprint or retinal scan would significantly reduce the threats caused by weak passwords, which could otherwise be written on post-it notes or shared with other people.
Thanks to implementation in smartphones, the idea of biometric security has become commonplace, meaning that staff are more likely to be comfortable using this type of identity verification should it be adopted in the workplace. Veridium’s Biometric Consumer Sentiment Survey revealed how popular the implementation of biometrics is with users. Seventy percent of respondents said they would like to see it used in their workplace, and its speed and security were both identified as some of the main positives of using the system.
As one form of security evolves, so do attempts to circumvent it. While biometrics are highly personal, the data will still need to be stored so that it can be verified and it is, therefore, likely that the hackers’ strategy could change in order to target these data stores, collect people’s data and impersonate users.
A major attack has already taken place, in 2015, when more than five million employees of the US government had their fingerprints stolen. While there is currently little use for this data, biometrics cannot be changed, meaning that this data could be used to spoof or replicate user accounts in the future. Unlike passwords that can be changed, regaining control of accounts locked with biometrics may require in-person verification, giving hackers even more time to access companies’ data before they are shut out.
Biometrics are currently a popular solution for personal devices, but successful adoption into business environments could be challenging. For staff to trust employers with such valuable and personal data, it is imperative that companies are transparent about how biometric data is stored and used. Failure to do either could see employees reluctant to adopt biometrics beyond personal devices.
Another large concern about the adoption of biometrics for SMBs is the cost associated with implementation. There are currently a wide number of biometric options, fingerprint, face, iris, finger vein and voice among others, each with their own benefits and limitations. Rather than leaping in and risking a large investment on a technology that quickly becomes outdated, SMBs will likely wait to see which measures are adopted by others. A lack of uniformity could make industry-wide implementation a challenge as businesses delay, waiting for others to make the first move.
While biometrics have a place in the future of business security and have many benefits, they are still a new technology in terms of uptake, and whether employers can lock down security to prevent them from becoming an additional security risk remains to be seen. A survey on adoption of the technology showed mixed results. While 90 percent of businesses were expected to have adopted some form of biometric authentication by 2020, just 10 percent of those surveyed believed biometrics were secure enough to be the only form of identification.
As with any new innovations in business security, there is never likely to be a universal solution. The most secure security strategy will always be holistic, combining new innovations with improved best practices, regular staff training and traditional endpoint security tools. But as the cost of technology continues to fall, biometric adoption is likely to become a de facto element of two-factor authentication and a common sight in the secure workplaces of the near future.
This article was contributed by Terry Hearn, a professional cybersecurity researcher and copywriter, who works alongside a number of international endpoint security brands.
14 August 2020
14 August 2020