Last night, we were excited to participate in a panel on online security hosted by SF New Tech. Along with Impermium CEO Mark Risher, the panel included Joe Sullivan (Chief Security Officer, Facebook), Michael Coates (Director of Security Assurance, Mozilla), Deron McElroy (Department of Homeland Security) and was moderated by Dan Goodin of Ars Technica.
The discussion focused on the security needs of startups in an increasingly dangerous online world. Many startups assume that they are not at risk, believing that their small size and relative lack of conspicuous popularity makes them less vulnerable to attack. Panel members all agreed that this is simply not true, citing the recently released 2013 Verizon Data Breach Investigations Report, an analysis of the online security landscape based on over 47,000 incidents reported in past year. According to the report:
Smaller organizations tend towards complacency, believing that attacks only target government, military and high profile organizations. This leaves them vulnerable to easily preventable attacks.
Attacks targeting end-users are major vulnerabilities. Phishing, malware and misuse of credentials have become increasingly sophisticated. Phishing schemes in particular have evolved to target specific users such as customer support staff.
A breach may not be detected for months after the attack. In 84% of cases analyzed, the actual attack took less than an hour. And in 66% of cases, the breach wasn't detected for several months and in 22% of cases, it took months to contain the breach.
These findings have major implications for internet security needs. Joe Sullivan of Facebook shared that engineers often come to him with requests to use technologies like Evernote and Dropbox on the Facebook network. His team must evaluate whether those services or apps pose a risk to the security of corporate data. If a potential vulnerability does emerge, he may work with those companies to find a way to collaborate that keeps data secure. This collaboration is essential to maintaining a secure environment.
The idea of smaller companies working together or in collaboration with larger, more established companies emerged as a theme. All panel members agreed that startups should not use their limited resources to develop their own identity management and access systems. Instead, while all companies need someone paying attention to account security, they should participate in federated efforts that leverage combined resources to increase security across the web.
Another theme that emerged, and one that we often discuss here at Impermium, is the need to balance security concerns with usability. Mozilla's Michael Coates shared that an extremely secure product that no one wants to use due to the number of (very secure) barriers to entry is, in fact, not a good product. The gold standard, and what we're working towards at Impermium, is a strong security solution for businesses that has minimal impact on the user experience.
Mark spoke specifically about our work at Impermium. It has become more accepted that a username and password are no longer sufficient security measures. Hackers have become so adept that relying on them is not unlike leaving your spare keys under the welcome mat to be found by robbers. As we've blogged about here before, multi-factor authentication is, likewise, not a perfect solution.
Authentication shouldn't be based on a binary system of "open" or "closed." Rather, it should exist on a continuum, designed with progressive entitlements based on a risk factor determined by automated systems. A log-in with low risk would be allowed unrestricted access, higher risk could have lower permissions or be prompted to enter a second password before gaining access, etc. With a system like this, you can kick off the bad guys instantly instead of banning them from future access, a measure not unlike closing the barn door after the horse has escaped.
Joe Sullivan helped wrap things up by observing that if you follow security stories in the media, you could come away with the belief that internet security efforts are futile. Why try if the bad guys are so determined? The entire panel took the opposite view. Daily reports of cyber-attacks and security breaches emphasize the critical need for coordinated security efforts, with the startup and online business community working together to keep data and users safe.
Thank you to SF New Tech for hosting a great panel and we look forward to being a part of future discussions!
The post Talking Online Security for Startups at SF New Tech appeared first on Impermium.