How to protect against compromised credentials — without affecting employee productivity

François Amigorena explains why compromised credentials are a major cyber-threat to organisations and how cumbersome security wastes time, whereas contextual awareness allows greater security automatically.

François Amigorena, CEO, IS Decisions
François Amigorena, CEO, IS Decisions

Compromised credentials are one of the biggest cyber-threats to organisations today. The reason why is simple. Once an attacker gains entry to your systems using legitimate login details, you're almost certainly not going to be able to spot any suspicious activity before it's too late. It's a bit like protecting your house by looking out for signs of forced entry, only to miss the burglar who steals your keys and walks right through the front door.

Because of the surreptitious nature of using compromised credentials, attackers find them to be a very powerful tool — so much so that 75 percent of total breaches are now down to compromised credentials, according to Verizon in its annual Data Breach Investigations Report.

In research of 250 UK organisations by IS Decisions, it was thankfully found that awareness of the compromised credentials threat is growing. Now, 68 percent of organisations are saying that having a way to detect compromised credentials is crucial, but when we delved a little deeper, it was found very few are going about it the right way.

Just 33 percent of organisations look out for ‘impossible journeys', in other words logins using the same credentials simultaneously but in two locations miles apart. Only 39 percent actively detect logins at strange hours of the day. And less than half (43 percent) can spot logins from implausible locations. Most worrying of all, 19 percent of organisations are doing nothing!

Instead, most organisations have lumbered themselves with complex IT security procedures that are severely hampering employee and IT admin productivity. These are the kinds of security procedures that force employees to log in to every single machine they use at multiple times per day, which inevitably eats up valuable time. The very same research by IS Decisions found that each employee loses 15.27 minutes every week due to complex IT security, which translates to a huge cost of lost productivity as the business grows. For example, a company with 30 employees wastes 15.3 days per year and one with 250 employees wastes 127 days. It won't take you long to work out how much your company loses if each employee wastes more than 15 minutes per week.

The good news is that many organisations are aware of the effect that complex IT is having — with 43 percent saying that the security measures in place at their organisation are negatively impacting employee productivity. 

There is, of course, an argument to suggest that, given the high-profile and widespread attacks we've seen on large and small companies over the past couple of years, this 15.27 wasted minutes per employee is a necessary time investment to ensure that your company remains safe from cyber-attacks. After all, nobody's safe — two in three UK businesses were hit by a cyber-attack in the past year.

But if an alternative was available that gave you the same level of security without the wasted time element, you'd surely take it? This is exactly where context-aware security comes in. Since the purpose of authentication is to ensure that the person logging in is whoever they say they are, you can implement automatic allow/deny technology that uses context to determine authenticity.

For example, if your security system detects that someone from Timbuktu is trying to log in to your systems at 03:00am, it's not rocket science to realise that that person is probably not a member of your organisation — despite their having access to legitimate login credentials.

Login restrictions don't have to be just by geography. How about by time? Device? Since you're already aware of what kind of login activity is ‘normal', all you need is to be able to get technology to spot the same, so it can detect what's abnormal and automatically deny access (or give administrators the ability to deny access with a single click). 

Crucially, this kind of security does not impede employees going about their business, and so does not harm productivity levels. Everybody could do with that extra 15 minutes.

Contributed by François Amigorena, CEO, IS Decisions