The latest survey from the
DTI into the IT security of
UK businesses has revealed that firms could be making themselves more vulnerable
by using software-based two-factor authentication rather than hardware tokens.
Software tokens, where a small file is placed on a user's computer, have been
adopted by many firms as a relatively cheap way of increasing security. Telecoms
and technology companies are the highest adopters.
But Chris Potter, the partner at
PricewaterhouseCoopers
who compiled the survey, told
vnunet.com that in some
cases such systems led to more identity theft not less.
"Two-factor authentication is the most popular form of control, but there's a
little bit of a sting in the tale," he said.
"Organisations that had software tokens had a higher incidence of break-ins
than those that had no two-factor system.
"One reason could be that organisations implement stronger security once
breached, but the other possible reason is that software tokens provide limited
security and people may feel they are totally covered."
Potter explained that the levels of identify fraud fall back to normal when
hardware tokens were used.
Tim Pickard, vice president of international marketing at RSA Security, said:
"I haven't has access to this report but it doesn't ring true to me.
"There are some very large organisations that use software tokens and they
don't suffer those levels of breaches. Our experience is that breaches going up
is a relatively small possibility."
The survey identified three elements to a successful identity management
system: strong, ideally two-factor, authentication; single sign on; and
automated user provisioning.
Companies using all three elements suffered negligible identity fraud,
according to Potter, but only one in every 100 companies is this well protected.
Two-factor is the most popular form of identity management, but 80 per cent
of the 1,000 companies surveyed are still using passwords alone to provide
access rights.
Overall the level of identity fraud stayed relatively constant, due in part
to increased security precautions. Among large companies there was a small
increase.
When such fraud did occur, it tended to have a worse impact than any other
type of security breach, particularly in terms of reputation damage, adverse
media coverage and cost of remediation.
Several small businesses reported direct losses of £10,000 - £50,000 as a
result of fraud.
Do you agree?
Have your say on this article