We have all heard the saying that “security is everyone's job,” but should it be?
Security is critical to any business, especially for organizations that store personally identifiable information (PII). That is why making every individual in an organization responsible for security is unrealistic and risky.
NIST, the National Institute of Standards and Technology, an organization often looked to best practices and guidance, has a guidebook around this exact topic. It provides detailed information concerning the responsibilities of each department and its staff when it comes to cybersecurity. The most basic best practices we should all abide by are simple: enable multi-factor authentication, use complex passwords, and never click on questionable or unfamiliar links.
But security as a whole is not always that straightforward.
For example, the NIST guidebook suggests that for Sales, Marketing, and Communications, best practices would include processes such as: “using encryption, using strong and unique passphrases, being aware of cyber risks,” and even planning for “inevitable cyber incidents.”
In addition, they need to know to look out for phishing emails, social engineering attacks, prompt bombing, and deep fake impersonation attacks with generated AI voices and videos; the list goes on! This is difficult for even some of the most advanced InfoSec teams, but now we need organization-wide training focusing on best practices and more nuanced security measures for non-technical stakeholders. This feels like getting a cat, then spending all your effort trying to teach it to do dog tricks like “sit” and “roll over.”
While more training sounds like it could solve security issues, the reality is that making security the responsibility of every person within the organization creates significant vulnerability and unwarranted risk. Security continues to be seen through a lens of being everyone's responsibility because it has never been any other way– which is not a good enough reason to continue along this path.
Researchers at Stanford University found that 88% of security breaches had an element of human error. The same research determined that 25% of breaches resulted from social engineering or phishing emails. Expecting employees who may not be proficient with technology to play a role in multi-step security processes sets the organization up for failure.
People make mistakes, and people who are not experts have a tendency to make more. If the paradigm by which security exists currently were applied to any other business, process, or department, it would seem ridiculous. Imagine if a legal department needed everyone to write their own vendor contracts without legal oversight and was trying to hold annual seminars to train everyone from facility services to the head of sales on the nuances of this because one mistake by one person would bankrupt the company. That’s a guaranteed disaster waiting to happen, and that firm would be used as a textbook example of what not to do. They would be a laughing stock. But, for some reason, that’s what's being tolerated in IT security!
While fostering a culture of security-conscious employees undoubtedly has its benefits, organizations and security teams should proactively look to adopt solutions to help mitigate security risks, especially organizations like BPOs responsible for storing significant amounts of PII. When it comes to multi-factor authentication, that means being an early adopter of solutions like continuous biometric authentication– also called Continuous MFA.
So, what exactly is continuous authentication? Well, imagine being able to increase your current MFA policy to authenticate agents every minute of the day. That would be 400+ MFA checks throughout the average workday. Now imagine it, only completely invisible to the user/agent.
Continuous authentication uses machine learning and passive biometrics – intrinsic behaviors like typing cadence and mouse movement – to create a trust score unique to each user, which is then used to automate multi-factor authentication challenges on users' behalf. This allows security teams to authenticate users' identities every minute–without adding additional security friction.
Beyond user error, social engineering and phishing attacks are increasingly common. 2022 was coined “The year of the MFA Bypass” by Dawud Gordon, Ph.D., and the strategy of exploiting MFA fatigue shows no sign of slowing down. The organization is compromised if a user can be tricked into either giving their one-time password over the phone or accepting a push notification. Continuous biometric authentication is unphishable and eliminates the “what-ifs” of user error.