Cybersecurity Month takes place every October, promoting how to stay secure online to global organisations and individuals. While the initiative started in the US in 2004 as Cybersecurity Awareness Month, the EU launched its own Cybersecurity Month campaign in 2012.
A key message of the campaigns over the years has been ‘cybersecurity is a shared responsibility’, reflecting the role we all have to play as customers, citizens, employees and service providers in upholding cybersecurity standards. At Ubisecure, part of the digital identity industry, we recognise a responsibility we have to educate individuals on protecting their identity and businesses on identity best practice as part of a holistic cybersecurity strategy. If you’re also part of the identity industry and interested in our role to play in this wider effort, check out: Why we should be educating consumers about digital identity.
In this article, we cover what organisations providing online services need to do to get cybersecure with a spotlight on our area of expertise: digital identity.
What must service providers do to strengthen security – a digital identity checklist
Organisations that offer digital services to their customers (or citizens, partners etc.) have a responsibility to protect the identities they capture and manage.
1. Offer passwordless authentication
Are you forcing your customers to create a new password to sign up to your service? You’re not doing yourselves any favours. 80% of data breaches are caused by stolen, weak or default passwords – which is a very real possibility given that only 35% of people use different passwords for all of their accounts. A more secure, customer-friendly and easier option for your organisation is to integrate a few identity providers, with options appropriate to your user base and level of data sensitivity.
2. Offer MFA (and encourage uptake)
Multi-factor authentication (MFA) is a particularly secure method of logging into a service as more than one identifying factor is required. So even if a hacker were able to imitate one authentication factor, they would be very unlikely to be able to imitate two – making it very hard to gain unauthorised access where MFA is in use.
Lots of services offer MFA today, though users are only likely to find out that a service offers it if they are looking for their privacy settings. So once you have this great security feature installed, make sure you tell users about it and why they should use it.
Also ensure your MFA solution is multichannel. TikTok recently faced criticism after users realised its new MFA offering could be bypassed on a web browser.
It’s important to remember that users want an easy journey through your services, but they also want security – and they are becoming increasingly aware of what that looks like.
3. Use SSO
Once a user has signed up to your service with a secure set of credentials (identity provider(s) & MFA), make the most of it – allow customers to use these secure credentials across all of your services with single sign-on (SSO). Otherwise, if you make users create new credentials for each of your individual services, the motivation to keep creating and using such secure credentials will run out and they will start to use weak passwords etc.
Further, the use of just one set of credentials makes it far easier for you to deprovision access to all of your systems in one go should the need arise (e.g. in the case of partner contract expiry).
You can always use step-up authentication alongside SSO if a particular area of your services requires stronger assurance of the user’s identity (e.g. if it contains more sensitive data).
4. Allow delegation of authority
When multiple people need to access the same account, plan or project within your service, are they forced to share the same credentials? A much more secure way to nominate access to trusted organisations and individuals is with Delegated Authority.
This means that each individual involved, e.g. in a family subscription plan or B2B project, has their own access credentials with only the necessary level of access authorisation, greatly reducing the risk of unauthorised access.
5. Don’t try to build your own identity management systems
Organisations will sometimes try to build identity management capabilities in house, running into trouble when they realise the complexity of making such a system both secure and user-friendly. It’s far better to buy solutions from vendors who have expertise in identity management technology and best practices, achieving the correct balance of security and customer experience for your individual organisation.
Free resources to secure your online services
- Limited general cybersecurity resources for business users on the EU Cyber Security Month website
- More extensive general cybersecurity resources through the US’s CyberSecure My Business
- Specifically on digital identity, we have a whole library of popular resources on the Ubisecure website – including white papers, case studies etc.
- Free trial of Identity-as-a-Service (IDaaS) – SSO, MFA and identity providers delivered as SaaS. See how the checklist capabilities would work for your organisation.