Abigail Wilson: Welcome to the second series of our podcast, The New Realities of Cyber Security. I’m your host, Abigail Wilson. Each episode of this podcast we’ll be inviting along some of our colleagues who are experts in their fields to discuss what they do here and what they are focusing on at the moment in the ever changing world of cyber security. Today’s conversation is centred around Authenticating People, essentially how do we make sure people are who they say they are in the digital world. Our guests today are Daisy McCartney who focuses on the people element of cyber security and Derek Gordon from our Identity and Access Management team. Daisy, Derek, thanks for joining us today. Could you tell us a bit more about yourself and the kind of work you do with our clients in this particular area? Daisy, if I can start with you?
Daisy McCartney: Of course. Hi Abi, hi Derek. As you mentioned Abi I work with the people components of cyber security so day to day I work with clients to try and develop secure behaviour in organisations and build a secure culture.
Derek Gordon: So, thanks for the introduction. In terms of my role we help clients all around the digital identity lifecycle and a key part of that is authentication and authorisation and the services that sit around that to secure their environment.
Abigail: Great. So when you say ‘authentication’ it would be great if you could both tell me what you think this means for you and your clients.
Derek: Sure, I’ll go first on that. So, for me, in the physical world we have to prove who we are and we have things that do that, passports and driving licence. In the digital world, it’s the same. We need to show I am who I say I am and I can prove that. We use authentication to do that and ultimately passwords is the way that is most commonplace. We’ve been using it for 57 years so it’s an easy way in which we can say this is who I say I am.
Daisy: I agree actually Derek. Quite simply is it I am who I say I am, and it’s interesting there you started to talk about passwords. As you say, passwords have been around quite a long time and for me that’s one of the key challenges in this area. There’s been a proliferation in the use of passwords over time, I mean 57 years is quite a long time and when we first started using passwords we had no idea quite how many we would use. I think on the way to work this morning I used 10 passwords but I’m sure I have many more than that and I read a piece of research just last week actually that said people can only really remember four to five passwords. So what we have is a situation of password overload. We’re expecting too much of people, asking them to remember too many passwords, and we simply can’t do it. So, that leads to people making shortcuts, we develop coping mechanisms when our brains are overloaded which means that we write passwords down, we reuse passwords, we might create simple passwords, they’re not as secure as they could be, and that represents a security challenge.
Abigail: Definitely. Would you say this is one of the key challenges you’ve observed from working with clients?
Derek: Yeah I think it is, absolutely. I think it is because when we look at it, the password is weak, it is the weakest link and if we look at security threats, ultimately what threat actors look at is the weakest link to then penetrate, get access and then maneuver lateral movement and then elevate. So, actually if we look at a lot of the big security incidents it all comes back to a weak password. So, from a security aspect it’s a big deal. I think that from a user convenience standpoint, it’s a big deal as well. If we look at it, as you say Daisy, people do reuse passwords across systems because it is impossible to remember tens or hundreds of different passwords, and also the systems insist that they have to be extra complex, eight characters, ten characters. We’ve got this information overload. It’s a real challenge. But I think also operationally, if you look at the cost that organisations have to support that whether it be internal users, consumers, there’s password reset, people forget passwords, they have to call up. That costs money. Or they implement technology to do password reset, all that costs money. So, I think it’s a major challenge, right?
Daisy: And I’m glad you described it as the password is the weak link cos I often hear people say that people are the weak link and I don’t believe that. I believe that it’s the password that’s the problem and that actually what we need to do is think about how we can better support people with that system so ideally how can we eliminate passwords? I guess, how can we make it easier for people? There’s many different things we can do. Single sign on makes it easier.
Abigail: Definitely. We need authentication but it sounds like passwords are prone to lot of difficulties. So I’m just wondering what can our clients or users do themselves to make this better? How can they be more secure?
Derek: Sure, so from a technology standpoint there’s many ways that clients have implemented to this point. Some of those involve technology such as single sign on as you mentioned Daisy to try and make it simpler. We also have multi factor authentication so we’re not just relying on a single password. And also we have step up authentication if people are doing sensitive operations. So there definitely are areas of improvement we see within the corporate world. I think less so from a consumer standpoint. Now, again there are technology tools in the market place but there’s a lot more we’ve been doing in the market in the last five years and I think in the near future we’ll start to see massive change in the way technology supports this, much more around passwordless movement, where we, I can go into it in much more detail but ultimately leverage multiple devices, things that we wear to authenticate us, user behaviour, behavioural analytics, all sorts of things that actually will make a difference, and make an improvement.
Abigail: Definitely. So those are some key technical controls you can implement to improve security for authentication. But it ultimately sounds like authenticating people doesn’t have an exclusively technical solution. Daisy, could you tell me more about the cultural side of this? What can our clients do to promote secure behaviours?
Daisy: Absolutely. A lot of the technology solutions that you talked about there Derek are getting more sophisticated from a human perspective, so those systems, tools and technology, the processes that we deploy, how can we make them easier for people? That’s a big thing from a human perspective because ultimately there’s a number of different things that influence our behaviour as human beings and that’s, the systems, the processes that we follow, the organisations we work in. You can’t change people’s behaviour simply by running an awareness campaign. Yes, it’s important to improve general awareness, to highlight to people the risks, to provide training, but human behaviour is complex so you need to think about the different influencers of behaviour and how they could come together to help drive secure behaviour in an organisation.
Abigail: So, engaging with the users and understanding their behaviour to find a solution for them that fits for them.
Daisy: Absolutely, so not seeing people as a problem. You can’t just tell somebody to do something and they will do it. I’ve certainly got a small child and as soon as I tell her to do something there’s no way she’s going to do it. And that fundamentally is humans. It’s not that straight forward. You can’t just tell people to do things and make them do it. You need to think about why, put yourselves in their shoes, help them to be more secure.
Derek: Absolutely. I think there is that convergence. We talk about security, we talk about convenience and I do think those two bedfellows are coming together and actually making a difference. But coming back to your point Daisy as well, some of the technologies supporting that around those behaviours, what’s normal and what’s abnormal, and being able to detect that.
Abigail: That’s a great point. One of the key worries with authentication is if an imposter is able to bypass it, and able to masquerade as someone else, and eventually steal their identity, how can we face this challenge? Is it a mix of both the human factors and the technical control?
Derek: Yeah, I think I’ve mentioned some of the aspects around step up authentication which is a good way to do that.
Abigail: So what does that mean?
Derek: So, ultimately, if someone is performing a sensitive operation, the system will ask for a second factor so it may be a pin, or mother’s maiden name or some additional factor. Now, obviously if the imposter knows that information, it’s tricky to bypass it. But I guess Daisy, from a people standpoint, some of that could also apply in terms of how we challenge potentially, things we see and people ask us from a technology standpoint?
Daisy: Yeah, absolutely. Particularly once we assume that someone has been authenticated, once we receive an email from someone then automatically the response is well that’s legitimate because that’s how the systems have been set up and that’s what I’m used to. But I think there is a general increasing awareness around this and I think people are more curious. They are spotting strange things in emails so for example somebody who might compromise business email, I think people are looking out for oh this is a strange time of day or that’s not usually the kind of request I’d get from that person, the language is slightly different. But at the same time, as well as people being more aware and curious and speaking out about these things, that’s an important aspect here, people having the confidence to say something when it doesn’t feel right. But having the systems and processes to support as well is really important.
Derek: So I guess it could almost be that human multi factor step up where if you see something unusual you actually decide to call the person or have a conversation over hangouts and try and maybe work out, ask them questions that only they would know. So, it is that additional step.
Abigail: Definitely, and making sure people can’t exploit the trust model to bypass established processes or get people to, for example, a financially motivated attacker may request payments and it’s understanding those key indicators that something’s not right and taking steps accordingly. I’m just wondering, based on your recent work, what do you think the future of authentication holds? Will things get easier? Will they get better?
Derek: Yeah, it’s a great question. Again, from a technology standpoint, we are moving forward at some pace and I think we will see that multi factor, passwordless model that I mentioned where essentially people, through their devices, maybe through their location, maybe through their swipe, fingerprint, maybe voice biometrics, all of that will come together to make authentication much, much easier. It just won’t rely on the weak password we’ve discussed.
Daisy: And then that reflects a trend I’m seeing in culture and awareness, is that people have in general improved a lot and we’re moving towards a deeper understanding of human behaviour and how the different aspects come together to influence people’s behaviour and I think that’s a really positive thing and I think as the technology becomes more sophisticated actually how we think about people and the users is becoming more sophisticated which is only a good thing.
Derek: Yeah, absolutely.
Abigail: That’s great. So, today we’ve covered both the human and technical sides and the challenges both perspectives face when facing authentication. What’s the one thing you’d like our listeners to take away from this discussion?
Derek: So from a technology standpoint, I’d like listeners to think about this, possibly just review their current status. We help clients to do that and ultimately leverage technologies and capabilities that they have. So many clients don’t do that. They have already made an investment and yet they don’t leverage that. And then do have one eye on the future. Do look at open standards and technologies and capabilities such as FIDO 2 that will move us away from that just single reliance, sole reliance on passwords.
Daisy: And from me it’s about thinking of the user. Ultimately, work with your people, not against them. Don’t try and force them to do things. Try and think about how you can make it easier for people and it will have a massive difference.
Abigail: That’s great, thanks. And thanks to you both for coming to talk to us today. It’s been a fantastic discussion.
Daisy: You’re very welcome.
Derek: Thank you. It’s been a pleasure.
Abigail: Thanks for listening today. Don’t forget to subscribe so you don’t miss out on our future episodes. Next episode we’ll be talking to our cyber research and development team.
Cyber Threat Operations - Manager, PwC United Kingdom
Tel: +44 (0)7841 803680