When it comes to IT security, businesses face two major threats: external and internal. While controlling both is critical, internal threats may be the more aggravating. A company may go to great expense and effort to build a cutting-edge cyber-fortress and train employees on good cyber practices, only to have a careless employee “leave the backdoor open.”
In August, CloudLock, a Massachusetts-based security firm, released a study that found that just 1% of employees are responsible for 75% of cloud-related enterprise security risk. Such users often engage in behaviors such as sending out plain-text passwords, sharing files, accidentally downloading malware, clicking on phishing links, using risky applications and reusing passwords.
The traditional password system may be the weakest link. Today’s cybercriminals have numerous ways to discover login and password information fairly easily, and the typical employee tends to re-use passwords or make them too easy to guess (ie “password” or “12345”).
In response, there is growing interest in developing algorithms that can identify people by analyzing their behaviors. In other words, rather than allowing employee behavior to make a business vulnerable, companies are beginning to look at using employee behaviors to actually improve security, using what’s known as “behavioral biometrics.”
Behavior difficult to copy
Behavioral biometrics identifies unique patterns in the way people perform activities. It’s been fodder for sci-fi movies for years, but it may now be getting closer to reality. Using behavioral biometrics, a company employs sensors and other technology to collect behavioral pattern information from workers. Used in combination, those usage patterns can serve as an “online fingerprint.” Security experts say when several behavioral metrics are combined, they are very difficult to copy.
The Defense Advanced Research Projects Agency (DARPA) has been investigating behavioral biometrics for a while now. Their research found that cybercriminals trying to hijack employee accounts could be caught within 18 seconds using behavioral biometrics.
On the civilian side, Google is working on Project Abacus, which looks at behavioral patterns combined with biometric authentication tools such as voice and face detection. Several startups are also working in this space, creating their own algorithms for authenticating customers. The technology can be challenging, however, because it requires crunching data on a number of different behavioral variables very quickly.
Meanwhile, some established companies like Wells Fargo are already beginning to use behavioral biometrics.
“We’ve been thinking of behavioral characteristics as a way to augment something as a basic as user ID and password for many years,” said Steve Ellis, head of Wells Fargo’s innovation group in a recent WSJ article.
According to the article, Wells Fargo has installed technology that can “compare a user’s normal pattern of behavior to what’s currently happening on a real-time basis.” If the behavior doesn’t match, Wells Fargo quarantines the transaction and takes other steps to verify the customer.
Given the proliferation of data breaches today, it’s clear we must move beyond rudimentary password-based systems. While not everyone will be thrilled that companies may soon seek to track their behaviors or may view the collection of such information as a privacy threat, behavioral biometrics may be the best bet we currently have for improving cyber security.