Token Security or Just Token Security?
A Vanson Bourne report for Entrust
Foreword
In 2011, Entrust Inc., an identity-based security company, partnered with respected technology
research firm Vanson Bourne to gain a stronger
understanding on what security solutions enterprises are using to defend
themselves from online breaches, fraud, digital identity theft and other Internet-related attacks in the UK.
While traditional attack vectors have long posed problems for enterprises, the ubiquity of mobile devices is greatly increasing vulnerabilities. To defend against an evolving threat landscape, Entrust strongly recommends the use of a layered security strategy for all environments, verticals or industries.
UK-based enterprises are evolving to stronger security solutions, but the survey found that there’s still much room for improvement. Far too many organisations continue to rely on simple username-and-password defences that are simply too easy to circumvent.
Further, those organisations that do deploy stronger authentication don’t have the versatility to switch authenticators, in real time, in the unfortunate case of a breach.
To help, Entrust’s layered approach enables organisations to manage multiple authenticators and provides enterprises the ability to rapidly switch between them in the event of a breach.
By providing strong authentication, physical and logical access, mobile device management and other credentialing services, Entrust offers organisations a single platform to defend against even the most sophisticated of attacks.
Dave Rockvam
General Manager
Entrust Certificate Services & Chief Marketing Officer
Contents
Background 4
Research scope 4
Objectives 4
Introduction 5
A layered approach 6
Prevalence of token-based authentication 6
Security breaches 6
Alternative methods of authentication 7
How long does it take organisations to switch security methods? 8
Awareness of security 9
Why do organisations not have an alternative method of authentication? 9 How well informed is the CEO when it comes to security risks? 9 The importance and security of mobility 10
Security of mobile devices 11
Conclusions 12
Background
Research scope
In autumn 2011, Entrust appointed specialist technology market research house Vanson Bourne to interview 100 senior IT decision-makers across the UK. All respondents came from enterprise-sized organisations; 50% of the respondents from
organisations with 1,000-3,000 employees and 50% from organisations with more than 3,000 employees, split evenly across the following sectors:
Financial services
Manufacturing
Retail, distribution and transport
Government
Other commercial
While the 100 responses gives a robust analysis of how the enterprise community is behaving, the sector split delivers a narrower, more ‘snapshot’
view of each vertical.
Objectives
There were three main objectives for this research:
- First, to determine what UK enterprises use to defend themselves against breaches - Second, to expose just how many large
organisations within the UK have
experienced some form of security breach as a result of identity fraud
- Third, to establish the importance of
mobility, and whether or not UK enterprises are capable of securing mobile devices.
Introduction
Four out of five UK enterprises use a token-based authentication system — that is, users must provide some form of ‘token’ in order to identify themselves; examples of such are hardware tokens, key fobs or USB tokens.
Token-based authentication systems are best utilised when the user has to team the token — which is something they must have on their person
— with something that they know, like a password, PIN or a piece of memorable information.
Tokens or smartcards can contain many different types of information. Some tokens will hold a digital signature of the authorised owner, some will produce a unique code which is scrambled by an algorithm each time a user wishes to enter a building or log on to a machine, and some more advanced systems will hold biometric data such as retinal scans or fingerprints.
This essentially means that with these most advanced systems, in order for a user to enter a location, or access data remotely, they will need to provide three things unique to them, to prove their identity — something they know, something they have and something they are.
This approach does appear to go the distance when protecting organisations from breaches but only four out of five large UK organisations actually use a token-based authentication system — meaning that 20% are more open to attack. Further, of those who do have a system in place, only two in three (68%) have an alternative method should their token-based approach be compromised — again leaving a significant number open to attack.
But what is truly alarming is that despite more than half of IT decision-makers (56%) believing their CEO and board are aware of IT security risks, 26%
of organisations, who employ a token-based security approach, have suffered a security breach as a result of identity fraud, linked to lost or stolen
tokens. From this it can be concluded that just having one line of defence is not enough — 26% of those with a token-based approach still
experienced security breaches, therefore a multi- layered approach is favourable.
However, the 26% who have token-based security and have experienced a breach includes 32% of those who have an alternative method of
authentication — implying that there may need to be more than just one ‘back-up’ plan.
Furthermore, there is a general consensus that mobility is important both to organisations themselves, and to their customers. However, when it comes to securing mobile devices, there is a chink in the armour as fewer than three in five (55%) use token-based authentication systems for mobile devices that enter the corporate network.
80%
Those with a 20%
token-based authentication system
Those without a token-based authentication system
A layered approach
Prevalence of token-based authentication
Only 80% of UK enterprise organisations currently use a token-based authentication system, which means that one in five don’t see this security method as necessary.
When looking at the data across the sectors, it can be seen that there are slight variations in attitudes;
just 70% of respondents in government said that they utilise token-based authentication systems, compared to the overall average of 80%, and 90%
in the financial services sector and in the ‘other commercial’ sector.
Figure 1: Just four in five UK enterprises have a token-based authentication system
However, there is a more noticeable difference here when we look at this data by the size of the
organisations (figure 1a right)
Figure 1a: Larger organisations are more likely to use token-based authentication systems
Larger enterprises are much more likely to use a token-based authentication system than their smaller counterparts.
So, are larger organisations better protected as a result?
Security breaches
More than a quarter (26%) of organisations that employ a token-based authentication system have experienced a security breach that was a result of identity fraud linked to a lost or stolen
authentication device. This number drops to just 22% in the largest organisations and reaches 32%
among the smaller enterprises. This could be linked to the fact that larger organisations appear to be the vanguards here, and may be using a more sophisticated method of authentication than smaller organisations.
Therefore, without added levels of security, identity fraud and the consequent organisation breach is easier and therefore more likely among smaller organisations.
68%
92%
Organisations with 1000 -
3000 employees Organisations with more than 3000 employees
68%
Those with an 33%
alternative method
Those without an alternative method
12%
16%
18%
53%
86%
SMS Grid card Soft-tokens Knowledge-based
questions Strong username/
password But do organisations have a back-up plan if their
token-based security approach is successfully attacked?
Alternative methods of authentication
Just two thirds of organisations that utilise a token- based approach (68%) have an alternative method of authentication that they could use, should their primary approach be compromised.
Figure 2: A third of organisations do not have an alternative method of authentication to turn to in the event of a breach
When we look at the difference in organisation size, we see a slightly dislocated story; while figure 1a showed that larger organisations are more likely to have a token-based authentication system in the first place, smaller organisations that have token- based authentication systems are actually more likely to have an alternative method of
authentication they could turn to in the event of a breach (85% vs. 54%).
And we can see a similar story with sectors; we have already unearthed that those in the financial services sector were among those most likely to be using token-based authentication in the first place.
And now a picture is starting to form, as they are also the most likely to have an alternative method
(83%) and again, government is the least likely (50%).
So, what are the most common alternative methods being used?
Figure 3: A strong username or password is the most common alternative authentication method
On average, organisations that have alternative methods of authentication have two such methods they turn to.
The most common, used by six out of seven organisations (86%) that have an alternative method of authentication in case their token-based system is breached, is a strong username or password.
The second most popular alternative method, utilised by just over half (53%) are knowledge- based questions.
But how long does it take to switch from one method of authentication to another?
How long does it take
organisations to switch security methods?
Of all organisations — both those with and without token-based authentication systems — just 64%
can change their method of authentication from one means to another, within a day.
However, when we look at just those with a token- based authentication system who have an
alternative method (54/100 organisations) this percentage leaps to 80% of this group that can change their method of authentication within a day.
This suggests that those with token-based authentication may be slightly more advanced when it comes to the ability to switch
authentication methods.
But what is concerning is that of those who have experienced a breach only 50% can switch their authentication method within a day — compared to more than 68% of those who have not experienced a breach. Could this be because those who have not experienced a breach have better, more proactive defences in the first place?
But as figure 2 showed, a third of those with token- based authentication systems do not have an alternative method of authentication. Why is this?
38%
8% 12%
38%
4%
The expense of deploying an alternative solution IT doesn't have the bandwidth to manage an alternative We are not aware of the alternatives
We never thought we would need one Other
46%
66%
Organisations with 1000 - 3000
employees Organisations with more than 3000 employees
Awareness of security
Why do organisations not have an alternative method of
authentication?
There are two main reasons that enterprises do not have an alternative method of authentication they could utilise if their token-based approach is breached. Two in five (38%) cite that it is the expense of deploying an alternative solution that deters them from having one.
However, the same number (38%) report that they never thought they would need one. This really highlights the naivety of the large enterprises considering that almost a quarter of UK enterprises have experienced a security breach (23%) that compromised their token-based approach.
Figure 4: 38% of organisations do not have an alternative method of authentication because they never thought they’d need one
How well informed is the CEO when it comes to security risks?
While a small percentage of respondents said that they don’t have an alternative method of
authentication because they didn’t think they’d need one, nine in 10 (90%) senior IT decision- makers within UK enterprises say that, actually, their CEO and board are well informed when it comes to IT security risks — and only 10% believe they are not well informed.
And this varies by the size of the organisation; in the larger enterprises more CEOs are seen as being informed about IT security risks, compared to smaller enterprises.
There are sector variations too. It appears that those in the manufacturing sector are the least likely to think that their CEO is aware of IT security threats and those in the government have the most faith in their seniors.
Figure 5: CEOs in larger organisations are more informed than their counterparts in smaller enterprises
13%
21%
66%
Not important
Neither important or not important Important
14%
33%
53%
Not important
Neither important or not important Important
The importance and security of mobility
Two thirds of enterprise organisations realise that the need for mobility is important to their
organisation, e.g. all employees are equipped to work remotely using smartphones, laptops and tablets. This appears to be least important to the financial services sector (55%) and most important to the ‘other commercial’ group (85%).
Figure 6: The need for mobility is important to two thirds of UK enterprises …
When it comes to mobility in regards to the organisation’s customers, a similar outcome is apparent; 53% of senior IT decision-makers cite that mobility is important to customers.
Figure 7: … and mobility is important to the customers of 53% of enterprises
And there is a positive correlation here among those who think that mobility is important to their organisation and those who feel that mobility is important to their customers. Figure 8 on page 11 shows that 64% of senior IT decision-makers who consider mobility important to the organisation, also believe it is important to customers (the linear increase in the purple bar in figure 8, alongside the opposing linear decrease in the pink bar).
9%
58% 33%
Not secure Somewhat secure Secure
4%
9%
27%
55%
81%
None of these Grid card Knowledge-
based questions Token-based
Username/
password 31%
19%
9%
38%
48%
31% 33% 27%
64%
Not important to the
organisation Neither important or unimportant to the
organisation
Important to the organisation
Not important to customers
Neither important or unimportant to customers Important to customers
Figure 8: Those who believe mobility is important to the organisation also believe it is important to customers
We can conclude from this that mobility is definitely important to enterprise organisations, but is the security of mobile devices being overlooked?
Security of mobile devices
Fewer than three out of five IT managers (58%) believe that the mobile devices within their organisation are secure.
Figure 9: Just 58% of UK enterprises believe the mobile devices in their organisation are secure
This drops to just half (50%) of those with 1000 to 3000 employees and rises to two thirds (66%) among those with more than 3000 employees.
This is almost a mirror image of what we saw in figure 1a, where the larger organisations were more likely to have a token-based authentication system. So, is there a link?
The most popular security method in place for mobile devices entering the corporate network is to request a strong username or password. However, more than half of enterprises use a token-based system.
Figure 10: 55% of those who have mobile devices that enter the corporate network use a token- based system
Considering it was established in figure 1 that 80%
of enterprises employ a token-based authentication system, the fact that only 55% use it for mobile devices implies that mobile security may be somewhat of an Achilles heel for organisations.
Conclusions
It is clear that despite the majority of UK enterprise organisations having a token-based authentication system, many are still at risk; 33% of those with a token-based system do not have an alternative method of authentication.
Further, 36% of organisations would need longer than a day to switch from one method of
authentication to another should a breach occur — meaning that their defences would be down for a prolonged period of time. And it appears breaches are not an uncommon event — 26% of
organisations that utilise a token-based
authentication system have experienced a breach as a result of identity fraud caused by lost or stolen tokens.
Senior IT staff have faith in their CEOs and board members though, as all but 10% believe that the CEO and board are well informed about IT security risks. However, this begs several questions;
If 90% of CIOs are satisfied that the board and the CEO are aware and informed of security risks then:
Why do a third of those with a token-based system not have an alternative method of authentication? (aside from the fact that 38% thought they would never need one…)
Why have 26% of organisations with token- based authentication systems experienced token-related breaches?
Why do only 58% of senior IT decision- makers think that the mobile devices within their organisations are secure?
The report raises more questions than delivers answers about enterprise security. It is clear that organisations we researched are likely, at some point, to be the victim of an attack.
And whilst larger organisations do appear to be more security-aware, it is also the case that the larger the organisation they are likely to be more well-known, have more people working within them and the opportunity for a breach is greater.
Therefore, it is much harder for the largest organisations to be 100% secure. If we add the hugely significant factor of mobile device access to this mix, then it is clear that the organisation needs to constantly monitor its security regimen to make a successful attack as unlikely as possible.
About Entrust
A trusted provider of identity-based security solutions, Entrust secures governments, enterprises and financial institutions in more than 5,000 organisations spanning 85 countries. Entrust’s award-winning software authentication platforms manage today’s most secure identity credentials, addressing
customer pain points for cloud and mobile security, physical and logical access, citizen eID initiatives, certificate management and SSL. For more information about Entrust products and services, call 888- 690-2424, email [email protected] or visit www.entrust.com.
About Vanson Bourne
Vanson Bourne, a specialist research-led consultancy, carries out user research within a technology
context. The company interviews senior decision makers from a variety of functions, across a whole range of industries, in organisations from the smallest to the largest, in markets around the globe. Vanson Bourne’s clients range from start-ups to well-known companies that need expert guidance, delivering robust and credible research-based analysis.
