Homeowners are careful with the keys to their houses. If those keys fall into the hands of a determined thief, that thief can use the keys to surreptitiously enter the house in order to steal all of its contents. A network login routine (or any sign-in that requires a password) performs the same function to protect the contents of the network or system from cyberthieves. Data will have more value to a cyberthief than the physical contents of a house will have to a home invader. Accordingly, cyberthieves have grown more creative in their attempts to steal sign-ins, and sign-in protections have grown more complicated to thwart those cyberthieves.
Usernames, either with or without passwords, are the most basic form of sign-in. Just as it is easy to get a copy of a physical house key, usernames are easy to copy or to guess. More complex sign-in protocols are necessary to provide a minimum level or network protection.
Multi-factor authentication (MFA) increases the protections over network sign-ins by imposing a multi-step process into the sign-in routine. A user will first a username and password into a sign-in screen. If the username and passwords match, the system then sends a code back to the user’s mobile device or email. The user then enters that code into a second sign-in level to gain access to the network. The physical equivalent of MFA for homeowners would be to use a first key to unlock a safe that is at a remote distance from the house, and removing the actual house key from the safe that is then used to unlock the door. MFA is considered to be a more secure sign-in protection because it requires a would-be cyberthief to know both a username and password, and to have access to that user’s mobile devices or email accounts.
As an alternative to MFA, the National Institute of Science and Technology (NIST) recommends using longer passphrases in place of passwords. Passphrases have the advantage of being easier to remember than complex passwords. Passphrases can also be used separately or in combination with MFA sign-in protection.
Biometric sign-in protections have grown in popularity over the past decade. Fingerprint identification has been available on smartphones for a few years to verify that the person who is using the phone is, in fact, its owner. Apple recently made headlines in the field of biometric sign-in technology with its “Face ID” user authentication system, which creates an equivalence between a user’s face and a password to sign in to an iPhone. In the physical world, this system is akin to a homeowner’s not being allowed to enter his or her own house until someone who is always in the house actually recognizes the homeowner.
These and other sign-in systems and technologies have gone to great length to increase the security of networks and systems that contain confidential or proprietary information. Technology solutions, however, can never eliminate human error and negligence. By at least one measure, human error accounts for up to 90 percent of all cybersecurity breaches. Individuals are careless with their passwords. They click on email links that install malware into their employers’ networks. They use free Wi-Fi hotspots to sign in to those networks without realizing that cyberthieves are stealing their sign-in information at those free hotspots.
Advanced technology for network sign-in protection is a necessary and proper response to the increasing data breach threat. Because those protections cannot prevent every possible data breach, cyber risk insurance is a necessary and proper component of a complete cyber protection strategy. Cyber risk insurance can cover a business’s direct losses and its liabilities to third parties when its sign-in protections fail to stop a network invader from breaching the business’s defenses. Homeowners carry loss and liability insurance for their houses regardless of the locks and security systems that they have installed. Cyber risk insurance accomplishes the same purpose for businesses that need to protect their networks.