how to increase your online security
By John Robinson
2PM Services’ Technical Business Analyst, John Robinson, explains the role of digital identity and access, and how they can be used to increase your cyber security.
The concept of identity has been around for thousands of years, in the form of jewellery, tattoos, and other decorative goods. These methods communicated not only identity but social status, ancestry, and memberships to groups.
While the concept has stayed the same, the methods we use today have changed drastically over the years, with the introduction of fingerprint-based ID, and 2 Step Authentication. It’s easy to prove who you are in a physical context, but it can often be a lot more challenging virtually!
The Thales Group states: “The last three decades have seen the steady transformation of the way we live and work from an analogue world to a digital one. More and more, the services we rely on are provided in a completely digital form, making the multiple digital identities we use to access them as important to protect as our physical ones.”
However, as our reliance on technology has increased, so too have the risks of online fraud, identity theft, and data breach. But let’s not get too ahead of ourselves…
Firstly, what is digital identity?
Digital identity is the digital representation of an individual in an ICT system; otherwise known as your ‘User ID’. It is a set of validated credentials for the digital world, like a person’s ID for the real world. It’s proof that ‘you are who you say you are’ when logging into an ICT system.
Your digital identity may have attributes such as demographic information, including sex, date of birth, name, and photo. A common form of digital identity is your email address and password used to access different services online. Your Digital Identity is also referred to as a ‘credential’.
So, what’s digital access then?
Digital access is an entitlement to a digital resource. This mean it gives you ‘the right to do what you want to do’. Examples of digital access include your laptop or your user account on a website. These may have attributes such as start time / end date for access, geography, and IP address.
Although they are different, identity and access tend to go hand in hand. You can’t really have ‘access’ without ‘identity’ and ‘identity’ doesn’t make much sense without ‘access’.
How can I increase my ‘identity’ and ‘access’ security?
Authentication vs. authorisation:
- Authentication is the process of validating an identity – checking the user is who they say they are.
- Authorisation is the process of validating access – checking the user has the right to do what they need to do and / or enabling certain levels of access to certain users.
It’s common for the authentication and authorisation processes to be done at the same time, for example when logging on to a Windows system. Occasionally, you may need to be authorised after being authenticated, for example if you are wanting to access privileged functions.
The most common method of authentication and authorisation is the presentation of username and password. Improved complexity of passwords reduces the likelihood of them being compromised.
TIP FOR ORGANISATIONS: If your organisation’s ICT systems support password policy, it should be enabled to enforce password complexity, lifespan, and history. For example, passwords that are 18 characters in length and contain numbers, a combination of upper and lowercase letters, and symbols will take a hacker 7qd years to brute force your password.
TIP FOR ORGANISATIONS: When you create a new account with an organisation, you should always use a unique and complex password. You have very little control over how well organisations manage their security and given the complexity of today’s systems, breaches are almost inevitable. Using the same password with the same email address on multiple accounts means that a security breach on a single site exposes all your accounts… and please don’t use your childhood pet’s name or the street you grew up on!
Multi-Factor Authentication:
Another way to improve security beyond passwords is by using Multi-Factor Authentication (MFA). MFA is a method where a user is granted access to a website or application, after they have provided two or more pieces of evidence to an authenticated mechanism. This can be a password or fingerprint and can sometimes be called Second Factor Authentication (2FA).
Commonly accepted as three types of authentication:
- Something the user is (fingerprint or other biometric)
- Something the user knows (password or PIN)
- Something the user has (phone, token, RFID card)
TIP FOR ORGANISATIONS: If your organisation’s ICT systems support MFA, it should be enabled. One of the simpler methods for MFA / 2FA is One Time Password (OTP) authenticators, such as Microsoft Authenticator or Google Authenticator.
TIP FOR INDIVIDUALS: Implementing MFA wherever it’s available is the single most important step anyone can take to secure their digital assets. Microsoft security analysts have stated that 90% of breaches in their online systems are from accounts that did not have multi-factor authentication enabled! Popular social media platforms like Facebook, Instagram, and LinkedIn can be easy targets for hackers, but they all have multi-factor authentication abilities.
While we’re on the subject, remember when we told you not to use personal details for your password? Never interact with social media memes asking you to comment with personal details such as your childhood pet’s name or the name of the street you grew up on. These can often be clever phishing techniques used to answer your security questions on certain websites!
Password Vaults:
Ok, so you’ve enabled multi-factor authentication and created unique / complex passwords, but how do you keep track of them? Short of writing them all down in a little notebook (we don’t recommend this. If you’re anything like us, you tend to lose things easily!), a password vault is a great solution. A ‘password vault’ or ‘password manager’ is a software program that keeps passwords in a secure digital location. By encrypting the password storage, it offers the ability to use a single password for accessing multiple passwords used for different websites or services.
TIP FOR ORGANISATIONS: Using a password manager allows you to centrally manage shared passwords and quickly update all current staff when someone leaves the organisation and the password needs changing.
TIP FOR INDIVIDUALS: Using a password manager makes it easy to use complex passwords – you don’t have to memorise them. The best ones have browser extensions that can automatically populate the username / password details when you log in to most of your online accounts.
Why is this important?
Trust is everything. Verified digital identities are required to ensure people and devices can trust other individuals, businesses, and devices, and vice-versa.
While most organisations have benefitted from advances in modern technologies, the risk of cyber-attack has also increased considerably. Attackers are continually looking for weak points in an organisation’s online presence. One tactic commonly used is the impersonation of identity. If there’s no method established to verify that a person or device is who they claim to be, how can businesses expect to distinguish between an attacker and a legitimate user? Therefore, digital identity is essential to ensure security and strengthen trust!
TIP FOR ORGANISATIONS: Manage user privileges and only authorise for the lowest level of privilege required for users to complete required tasks. Ensuring users in your ICT environments are only granted access to the ICT resources they need helps minimise unintended risks. When this access is no longer required or if the user leaves the organisation, ensure these privileges are revoked.
Here at 2PM, we are utilising many of the digital identity verification strategies to ensure increased security. Remote working practices may be with us for some time, so it’s important to assess your organisation’s digital security and mitigate any risks.
What does your organisation do to help keep its online information secure? Or maybe you just enjoyed this article? We’d love to hear from you! Click here to reach out!