Information security officers (CISOs) and other cybersecurity leaders have long struggled to protect business systems from internal and external threats. They still have to deal with cybercriminals looking to compromise organizations through ransomware, data theft, and fraud.
Often, they largely focus on locking down and protecting employee accounts. Many of these accounts have elevated privileges to access corporate assets or development and production environments for customer-facing systems. The problem is that hackers can access these accounts with stolen or hacked credentials, and with the right privileges, they can quickly achieve their goals. But it’s not just employee accounts they’re targeting. Customer accounts are just as vulnerable because credential theft is so easy.
Increasingly, CISOs face a different set of challenges when it comes to protecting customer accounts. These are the accounts customers use to access a company’s digital apps and websites. Customers transact with the business (and sometimes each other), shop, learn, and get help through these accounts. Sometimes the online experience is the product of the business. Digital is not just a differentiator for many companies; that’s the whole thing.
Consumers increasingly demand security from their online services. According to Experian’s 2021 Global Identity and Fraud Report, 55% of consumers say security is the most important aspect of their online experience. In other words, the CISO is responsible for one of the most important elements of a good customer experience. At the same time, companies have little or no control over the devices, apps, channels, and browsers customers use.
CISOs are increasingly expected to address consumer concerns as their companies digitize the customer experience. A major focus will be on securing customer accounts, which are constantly targeted by thieves for account takeover and fraud.
In many ways, protecting customer accounts is more difficult than protecting employee accounts. Key differences that CISOs need to overcome include:
- Safety training: CISOs can implement security awareness training for employees and contractors, training them on common threats and security best practices. The same is not true for an organization’s customers.
- Executing Authority: CISOs can enforce security policies and best practices internally. Security policies that harm the customer experience can lead to lost sales and lost customers.
- Authentication options: Internally, CISOs have a range of strong authentication options, including smart cards and tokens. Client authentication options are limited by the technology available to clients.
- Device Security: Employees may be required to use sanctioned devices with enterprise anti-malware solutions installed. CISOs cannot dictate which devices or software customers use, and attempts to do so may result in fewer customers.
Security responsibilities for CISOs are expanding, and securing the customer can be much more difficult than securing the employee. At the same time, threats to customer accounts are increasing dramatically. In fact, account takeover attacks skyrocketed 307% between April 2019 and June 2021.
Customers and their accounts must be protected by methods that are both easy to use and secure. So far, this has been difficult to achieve. Most of the time, better security means adding more friction, not less. However, as customer identity and access management (CIAM) continues to evolve, more user-friendly solutions are being introduced.
One such solution is passwordless customer authentication using Fast Identity Online (FIDO) standards. The FIDO-based passwordless password is often used for employee authentication.
However, it is also well suited for client or consumer use cases. FIDO-based passwordless authentication, when done well, is impervious to phishing, smishing, and man-in-the-middle attacks.
Passwordless authentication is also easier to use than clumsy passwords and OTPs. FIDO-based passwordless authentication is as easy as looking at your phone or scanning your fingerprint.
The bottom line: Authentication expectations are changing, and customers want to be able to log in without a username or password. This means zero passwords anywhere and no knowledge-based credentials ever appearing in the process.
But it shouldn’t stop there. A complete passwordless solution should offer a full range of login options that work for everyone, including those who are not able or ready to use biometrics.
Magic links or time-based one-time access codes (TOPT) are passwordless methods that also eliminate your biggest risk: customer passwords.
Let Transmit Security show you what it means to be truly password-free with BindID.