Your security problem is an identity problem

The Unchanging Landscape of Cybersecurity

In 2024, we are witnessing an alarming rise in data breaches, ransomware attacks, and cyber takedowns. Across the board, the information security community is reacting with new technology solutions and inflated budgets, but at the core, not much has changed. For years, companies have been repeating the same mistakes, and the results are as predictable as ever.

Consider this: in the 18th century, doctors often prescribed leeches to treat illness, unaware that they were ineffective. Today’s businesses are similarly applying ineffective solutions to prevent hacking. Companies like Christie's, Santander, and Ticketmaster have all faced major hacks leading to significant outages or data breaches. No matter how many security systems they implement, they are consistently vulnerable. Why? Their problem isn’t just about security technology—it’s about identity.

How Hackers Exploit Identity Weaknesses

The Identity Problem

When someone logs into a system, the company assumes it knows who is accessing it. But there’s a fundamental flaw in that assumption. Companies grant access based on credentials like usernames and passwords, or even more advanced systems like biometrics. The problem is that these methods don’t truly verify who the person is—they only check if the credential matches one that’s been previously issued.

This creates an opening for hackers. They exploit the fact that companies are granting access to a credential rather than verifying the actual human behind the login. And hackers are extremely good at using this to their advantage.

The Hacker’s Playbook

Hackers often start by gathering public data. Let’s imagine a hacker targeting a company like the fictional "ACME Corp." First, they narrow their focus from the global population to ACME’s employees, and then to senior employees with access to sensitive data. All this information can be found on platforms like LinkedIn or through databases of leaked personal information from past breaches.

Now, with a short list of potential targets, the hacker gathers more personal information, often from data brokers who collect information through cookie acceptance (yes, those annoying pop-ups you click on). They might also check if any employees have been victims of previous online crimes, which can make them easier targets.

Finally, they try to gain access to the company’s systems by exploiting weak passwords (such as "Password123") or using social engineering techniques, where they manipulate individuals into revealing sensitive information. Social engineering can be surprisingly effective, as seen in this video:

Why Traditional Security Systems Fail—and How to Protect Yourself

The Limits of Security Technologies

Security technologies like FaceID, TouchID, Two-Factor Authentication (2FA), and even voice or video verification all have their weak points.

• Biometrics (FaceID/TouchID): These seem highly secure, but their fallbacks to pin codes, sometimes just four digits, undermine their strength. Worse, these systems often allow multiple users to register, so you can’t be sure who is accessing the account⁷.
• Two-Factor Authentication (2FA): While it adds a layer of protection, 2FA relies on technologies like SMS and email, both of which can be compromised through spoofing or interception⁸. Hackers can bypass 2FA using stolen credentials in seconds.
• Voice and Video Verification: Advanced AI technology can now spoof voices and video images, making it easy for hackers to trick systems into believing they are someone else. This has even led to multi-million dollar heists where employees believed they were on calls with their own executives⁹.

What Can Be Done?

The truth is, no amount of artificial intelligence, threat analysis, or firewalls can undo a hack once it’s occurred. Prevention is the best defense, and that starts with recognizing that the heart of the issue is identity verification. If businesses fail to know who is truly accessing their systems, they will remain vulnerable to attacks, no matter how many high-tech solutions they deploy.

So how can companies protect themselves? Here are three essential strategies:

1. Know Who Controls and Accesses Data: Use systems that track and verify identity in real time, rather than relying solely on credentials.
2. Gate Access with Real-Time Biometric Verification: Implement technologies that continuously verify a person’s identity as they access systems, using biometrics that can’t be easily faked.
3. Limit Data Exposure: Avoid storing Personally Identifiable Information (PII) within your business systems whenever possible. If it’s not there, it can’t be stolen.

By following these principles, companies can reduce their exposure to hackers and limit the damage that can be done. The sooner businesses realize that security isn’t just about technology, but about verifying identity, the better equipped they’ll be to face the cybersecurity challenges of the future.