By Jameeka Green Aaron, CISO, Auth0
Let’s cut straight to it. As security professionals, we’re seeing a massive increase in cyberattacks across the globe. Ransomware, in particular, is hitting every industry — something we never thought could really happen to us, but which is costing a lot of money and time. Throw in the aggressive cyber warfare that’s being launched by Russia against Ukraine, that’s already spilling out to wider digital assets, and you have a situation where collaboration between security professionals is essential.
Not only is collaboration needed, but we need to be doing more to shoulder the responsibility we all have to better educate consumers about the dangers facing them.
So what does this look like in action?
Collaboration takes time
Recent events reinforce the need for collaboration within our industry and networks. It’s never been the time, and it certainly isn’t now, to be protective, to worry only about our own security postures. I don’t see other companies as competitors, I see criminals as the competitor to all of us.
For those worried about the business impact of collaboration, don’t be. At the end of the day, it’s important that consumers have a choice in the services they use. This competition fuels everyone to create better products, to remain ambitious, which works out well for everyone at the end of the day.
When it comes to collaboration, start thinking about how you can share the data you have for the good of everyone. At Auth0, we have the benefit of seeing the scale of cyber attacks attempted through the authentication process, with our software tackling millions of credential stuffing attempts weekly. Last year we launched our first ‘State of Secure Identity’ report, where we shared as much internal data on the scale, methods and makeup of those attempting to commit cyber attacks against our customers. It’s your chance to be transparent and build consumer trust.
As well as larger reports, look into the other ways you can consistently share information with the security community. Regular blogs, networking events, and podcasts are all ways in which you can keep a dialogue up.
Another important factor is getting your technology into as many hands as possible, especially with non-profits and other sectors that may struggle to afford it. Make it as cheap as possible, and make sure you’re making everyone’s security posture as strong as you can. This is not only a good thing for improving everyone’s overall security, but it’s the right thing to do. It’s our responsibility as security professionals to do it.
We’re responsible for a lot of things
Talking of responsibility, the other thing we all need to be doing is taking more for the education of consumers. It’s not right for companies to shirk the responsibility of educating consumers. To simply expect them to read through ten pages of dry privacy documentation, or to suddenly feel comfortable using MFA because your app pushed it on them one day.
Take banking for example. Consumers are being constantly targeted via SMS fraud, with many losing money in the process. It’s on the banks to educate consumers. They should be actively, and constantly, sending emails and correspondence to consumers about the threats to watch out for, not just once a year as part of a cyber security month campaign. This is a worthy investment, that is honestly a drop in the ocean compared to the costs of a significant breach.
So how do we reach consumers?
We have to meet them where they are, and think a little outside the box. We need to be investing in advertising that is not just pushing our products, but educating consumers to be better aware of best practice security across the board. This benefits everyone, so don’t just think about whether it’s reaching the people who buy your product. We need to take a grassroots way of working, as currently the majority of security professionals and organizations are bad at it.
The main thing is recognising there is a diverse range of demographics and personalities, who are all going to need educating in different ways. So speak with community leaders, bring in external voices that can educate YOU on the best ways to educate others.
Ultimately, it’s our responsibility to invest in that education, or we’re not only making things harder for ourselves further down the line.
But what about the ways we build technology?
Responsibility does not end with education, it ends in the security technology we invest in and build. When it comes to this, there’s still a lot we need to be doing.
Take biometrics for example. They’re a fantastic form of security when it comes to authentication, but they don’t work for everyone yet. I don’t use facial biometrics as they don’t recognise black faces well. This is not something that is sustainable, technology has to be inclusive and adoptable for the masses.
We also need to make technology readily available for consumers that makes it easy for them to practice safe behaviors. Password managers are a great example of something which everyone should have, so the cheaper and easier we make it to use them the better. Auth0 has also developed a technology, Credential Guard, that makes it easier for platforms to automatically identify and flag when consumer credentials have been compromised. This is a technology that is easy to bake into security postures, but which has a massive impact on consumers without them having to do anything – the holy grail of security when it comes to reducing friction.
Don’t lock yourself in a box
As a security professional, if all you’re doing is thinking about your product and your customers, then you’re going to fail. What we need right now is collaboration, and a willingness to accept the responsibility that we all have to make security work for everyone.