Hackers are no match for human error.
The biggest cybersecurity risk to businesses is employee negligence, according to a state of the industry report by Shred-it, an information security company. The report found that 47 percent of business leaders said human error such as accidental loss of a device by an employee had caused a data breach at their organization.
In 2019, data breaches cost companies an average of $3.6 million, according to a separate report from the Ponemon Institute. For smaller businesses especially, that price tag could wipe out the entire firm.
Many of the most dangerous offenses by employees are things that they might not even think about as risky behavior. A surprising number of workers surveyed by Shred-it admitted to bad security behavior at work; over 25 percent said that they leave their computer unlocked and unattended.
Cybersecurity practices have not yet caught up in MENA Region. A majority of executives agree that the risk of a data breach is higher when an employee works remotely, yet two thirds of businesses managers said they have no policy for remote workers.
Working from Starbucks or even your living room may be nice and convenient, but it could also be opening your company up to a dangerous data breach.
Remote work is highly increasing with the pandemic. More than half of hiring managers agree that remote work is more common and two third think it is the future of work, according to a report on the future of work from Upwork, a freelancing platform.
In addition, contractors or external vendors also open up companies to data breaches. The Shred-it survey found that 1 in 4 executives and 1 in 5 small business owners said that an external vendor was the cause of a data breach at their company.
To fight fraud and negligence, a growing number of banks and merchants are now tracking visitors’ and employees’ physical movements as they use their computer. The solution is named “Behavioral Biometrics”
A dozen technology vendors, from under-the-radar start-ups to giants like IBM, have built behavioral biometrics security softwares.
“This used to be like science fiction,” said Ryan Wilk, a NuData employee who is now a Mastercard vice president. “When we described what we did, people would give us looks like, ‘Is this real?’ Now, it’s become not just a gimmick but a major technology in the financial industry. Lots of big companies are using it.”
Qatar was one of the first countries developing behavioral biometrics security technology back in 2015, with a Deep Tech startup named ADGS and a product, STROKK. However, Qatar banks and companies are still very late in adopting modern security measures, despite a good will from companies’s management. Being requested to audit several companies in the region, ADGS CEO, Christophe Billiottet, says “we found many breaches with easy behavioral biometrics solutions that IT departments discarded for reasons not related to security, but to personal convenience. For instance in Qatar, there is obviously an excessive reliance on OTP while NIST (National Institute of Standards and Technology) published a document in 2018 requesting banks to avoid OTP and rely instead on Biometrics and Behavioral Biometrics”.
Billiottet analyzes “the problem might be cultural or structural, authority over IT security being transferred to employees without a real decisional power, nor any will to change a status quo. I heard a number of times IT managers telling me that current obsolete OTP solution were “good enough”.”
STROKK measures the neural influx between the brain and fingers and interprets the neuromuscular data to recognize users. Using “behavioral biometrics” technology, STROKK helps prove whether a digital user is actually the person she claims to be and blocks impostors. STROKK is particularly efficient to protect companies with remote workers and has been improved over the years to keep a high level of performance compared to its new competitors.
To security officials, ADGS technology is a powerful safeguard. Major data breaches are a near-daily occurrence. Cyberthieves have obtained billions of passwords and other sensitive personal information, which can be used to steal from customers’ bank and shopping accounts and fraudulently open new ones.
“Identity is the ultimate digital currency, and it’s being weaponized at an industrial scale,” said Billiottet. His company’s customers are now using or testing behavioral biometric tools, he said, “STROKK protects users against identity theft even if the password is already compromised. STROKK has proven to reach a detection rate of 99.92% of impostors”.
In a Kuwaiti Bank where STROKK software is deployed, the system tracks the keystroke dynamics of employees and customers, among other measures, to build up a profile of the user over time. If the user’s behavior is consistent, he won’t need to constantly punch in a password. But if the user’s behavior changes by a certain threshold, the system prompts the user for a password. “Most people don’t mind a challenge if it’s legitimate,” says Billiottet, whose firm ADGS supplies the behavioral biometrics layer of STROKK. “But you don’t want it all the time.”
A few months ago, STROKK picked up unusual signals coming from one wealthy customer’s account. After logging in, the visitor typed on the numerical strip at the top of a keyboard, not the side number pad the customer typically used. A number of other discrepancies were collected by STROKK.
Alarm bells went off. The R.B.S. system blocked any cash from leaving the customer’s account. An investigation later found that the account had been hacked, Billiottet said.
“Someone was trying to set up a new payee and transfer a seven-figure sum,” he said, “the bank security department were able to intervene in real time and stop that from happening.”
That case was unusually blatant. A user’s behavior isn’t constant; people act differently when they’re tired, injured, drunk, distracted or in a hurry. The way people type at an office desk is distinct from when they’re slumped on their sofa at home. STROKK is an adaptive system and its Machine Learning engine remains able to recognize or differentiate legitimate users from impostors.
Behavioral Biometrics in the world
The situation is somewhat different in the rest of the world as behavioral biometrics is becoming the password protection standard: millions of average Scandinavians are already using behavioral biometric technology for over two years to log in to their online bank accounts.
In Sweden, Denmark, and Norway, it is integrated into a system called BankID, which major banks use to identify their customers. In Sweden, the system has 6.5 million active users. In Norway it is used by over 75% of the adult population. Banking customers use it for everyday transactions from logging in to bank accounts to filing taxes.
BehavioSec says its technology been used by over 50 million users to conduct 1.2 billion transactions so far. BehavioSec won’t say precisely when it integrated its tracking technology with BankID, citing non-disclosure agreements, but it ran a trial with Danske Bank, Denmark’s biggest bank, with a plan to recently deploy it more widely.
In the Danske Bank trial, BehavioSec said it could detect an imposter using stolen credentials to access a bank account from a single log-in attempt more than 99% of the time. That trial involved 18,000 users and over 500,000 transactions.
The Royal Bank of Scotland, one of the few banks that will talk publicly about its collection of biometric behavioral data, started testing the technology two years ago on private banking accounts for wealthy customers. It is now expanding the system to all of its 18.7 million business and retail accounts, according to Kevin Hanley, the bank’s director of innovation.
When clients log in to their Royal Bank of Scotland accounts, software begins recording keystroke dynamics data. The system’s unobtrusiveness is part of its appeal.
Royal Bank of Scotland is using a software designed by a small New York company called BioCatch. It builds a profile on each person’s gestures, which is then compared against the customer’s movements every time they return. The system can detect impostors with 97 percent accuracy, BioCatch says.
BioCatch has profiles on about 70 million individuals and monitors six billion transactions a month, according to Ms. Zelazny, the company’s strategy executive. American Express, an investor in BioCatch, recently began using its technology on new account applications.
Some of BioCatch’s rivals have even larger networks. Forter, a New York start-up that sells online fraud detection software incorporating behavioral biometrics to big retailers, said its database has records on 175 million people from more than 180 countries. Another competitor, NuData, was acquired last year by Mastercard.
European data protection laws prevent companies from being cavalier with user data. “We’re talking about typing on a keyboard; the way you type is not about what you’re typing and no sensitive information is collected” Billiottet says, “furthermore, the bank only has access to this data, not us, reducing the exposure and meaning it’s as secure–and private–as any other financial data stored by the bank”. This is a STROKK specificity, as for all the other cases, Companies allow the outside vendors they work with to hold the data, usually on the cloud. That creates a new risk…
ADGS COMPUTER SYSTEM