As we speak to companies worldwide, many express their frustration with the cost and complexity of physical tokens. Our staple response is: "Oh yes, these solutions are hard to integrate and operate, but they provide the extra level of security required in an enterprise environment." However, today’s RSA SecureID breach goes against our typical advice and demonstrates that even the most hardened solution is vulnerable to insider threats – as it appears that the information leaked by (or social-engineered out of?) an RSA insider caused the security hole.
This situation draws attention to two basic themes that we are consistently hearing about:
Monitor your employees' activities and behavior patterns; and
Use lighter-weight authentication such as adaptive and risk-based authentication.
Both topics are areas we plan to discuss in greater depth this year. Please stay tuned for more reports from us on these topics!