Identity and access management are critical for most, if not all organizations – whether its employee access to enterprise networks, or customers who need access to your products and services. Authentication – and the credentials that make it possible – is at the heart of many data loss incidents. The need to prove our identity, and somehow store that information, is the catalyst that makes cybercrime both a relatively easy and attractive endeavor.
The ability to safeguard this information 100% of the time is nearly impossible. I’ve often been told that I’m not the best person to watch a movie with. The reason? Because something about my inner-nature compels me to point out all of the inconsistencies I observe. It’s with this premise that I want to discuss two commonly accepted – and marketed – beliefs of the infosec industry.
This leads me to the first of our popular security axioms: if your assets have not been compromised (to your knowledge), then assume that they are or soon will be. It’s a concept that’s often espoused by vendors, analysts, and consultants alike. Nevertheless, it’s sound advice, and I have no problem with it as a stand-alone assumption.
Now consider another security proverb: data breaches can cause irreparable harm to an organization’s bottom line and reputation. The key word here is ‘can’. At best, I’m skeptical this is actually true. I say this as I contemplate our recent coverage of the perceived security issues of token-based authentication, all the while being stared in the face by an RSA SecurID device that was subjected to one of our industry’s most notorious breaches.
Balance the reputational damage assumption against the perceived inevitability of compromise, and what we find is a logical inconsistency. If brands can be irreparably damaged (again, I repeat the word ‘can’), then why is it that e-commerce itself has not come to an abrupt halt? After all, if every organization with data to protect was, is, or will be compromised, then don’t we all have a bad reputation? Of course, the answer is no. Reputation itself goes much deeper than losing someone’s password or user name. Unless your customer in question deals in highly sensitive data, most people understand another constant of our world: ‘stuff’ happens.
I don’t mean to sound callous, as if security compromises are acceptable. Indeed, they are unwelcomed events that need to be defended against. But if they can and will happen, then it’s how we deal with them – especially when it comes to customers – that makes all the difference.
Simply put, most of your customers understand the sometimes ‘Wild West’ nature of today’s internet, and e-commerce in general. There is, and may never be, an impervious method to demonstrate your identity online.
Access management for your customers is a two-way street, in that they must remain vigilant and protect their assets much the same way an enterprise must take steps to protect its own. What we can do, as an industry, is provide our customers the tools that enable a more secure online ecosystem. Small efforts, like providing a password creation tool on your site that requires stronger passwords is an excellent example, but there are more.
If your organization should suffer a breach, don’t tell your customers that you have no evidence that the information has been misused. You would never take this same approach with your own business, so why do customers deserve any less? Tell them to assume their information has been misused, or possibly could be, then advise them on the steps they should take (and how you will work with them) to remedy any potential situation. Covering this industry, I see examples of both strategies on a weekly, if not almost daily basis. I seldom think twice about the breach notifications that claim no evidence of misuse, but the increased frequency with which I have encountered organizations advising their clients to assume the worst has come as a refreshing change. Bravo to those who do give this advice – at least they have the courage to speak the truth, and be honest with their customers.
It may be the case that you let your customers down, but remember that you’re not alone. Your customers know this, so what you really need is to help pick them back up, keeping in mind that it was your organization’s responsibility to safeguard the data. A little honesty, and some good will, can go a long way in achieving the goal of saving your brand’s reputation when things go wrong, perhaps engendering a bit of customer loyalty in the wake of what would have been, otherwise, a most unfortunate turn of events. So go ahead, request that I change my password or send me a new card to replace my old account number, but explain to me how I can prevent this from happening in the future, how to monitor for misuse, and arm me with the tools to do so.