Consumer Web Portals: Platforms At Significant Security Risk



Similar documents
Capacity Management Benefits For The Cloud

Why Endpoint Backup Is More Critical Than Ever

Cloud Without Limits: How To Deliver Hybrid Cloud With Agility, Governance, And Choice

Continuous Third-Party Security Monitoring Powers Business Objectives And Vendor Accountability

The Risks Of Do It Yourself Disaster Recovery

SMBs File Storage Needs Are Growing, But 57% Underestimate File Server Costs 45% Are Interested In Cloud Options

Zero Trust Requires Effective Business-Centric Application Segmentation

Connect and Protect: The Importance Of Security And Identity Access Management For Connected Devices

Trends In Data Quality And Business Process Alignment

Are SMBs Taking Disaster Recovery Seriously Enough?

Intent Data Can Sharpen Your Competitive Edge

A Forrester Consulting Thought Leadership Paper Commissioned By Brother. December 2014

The Expanding Role Of Mobility In The Workplace

Single-Vendor Security Ecosystems Offer Concrete Benefits Over Point Solutions

Future IT Capacity Planning Depends On Flexibility

Big Data Ups The Customer Analytics Game

How To Adopt Cloud Based Disaster Recovery

Managed Mobility Cloud Services Gain Momentum With European Midmarket Organizations

Strategically Detecting And Mitigating Employee Fraud

Leverage Cloud-Based Contact Center Technologies To Provide Differentiated Customer Experiences

Enterprises Seek The Benefits Of Hybrid Cloud, And Work To Overcome The Challenges

Records Management And Hybrid Cloud Computing: Transforming Information Governance

Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements

Application Performance Management Is Critical To Business Success

Digital Business Requires Application Performance Management

The Unified Communications Journey

A Tidal Wave of Dynamic Web Content Is Coming How Will You Respond?

If you had your choice of two work devices that would make you most productive in your job, which two devices would you prefer to have?

Benefits Of Leveraging The Cloud Extend To Master Data Management

Leverage Micro- Segmentation To Build A Zero Trust Network

File Sync And Share Grows In The Enterprise: Capture The Benefits And Manage The Risks

Customer Cloud Adoption: From Development To The Data Center

Mobile Device Management Underpins A Bring-Your-Own- Device (BYOD) Strategy

Latest IT Trends For Secure Mobile Collaboration

Are SMBs Taking Disaster Recovery Seriously Enough?

The Move Toward Modern Application Platforms

UC And Collaboration Adoption By Business Leads To Real Benefits

Privacy, Identity, And Security: A Spotlight On How Financial Services Firms Can Help Protect Customer Identity

Not All Cloud Solutions Are Created Equal: Extracting Value From Wireless Cloud Management

Close The Gaps Left By Traditional Vulnerability Management Through Continuous Monitoring Organizations Find Real Value With Continuous Monitoring

Best Practices For Public Cloud Security Part Three Of A Three-Part Series On Public Cloud Security

Enable Mobility With Application Visibility At The Edge Of The Network

A Custom Technology Adoption Profile Commissioned By Aerohive Networks. January Cloud Networking

How Organizations Are Improving Business Resiliency With Continuous IT Availability

The Cloud Manager s Balancing Act Balancing Security And Cost Without Sacrificing Time-To-Value

How To Get Started With Customer Success Management

The Road To CrossChannel Maturity

Delivering New Levels Of Personalization In Consumer Engagement

April 4, 2008 The Five Essential Metrics For Managing IT by Craig Symons with Alexander Peters, Alex Cullen, and Brandy Worthington

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

SOLUTION BRIEF Improving SAP Security With CA Identity and Access Management. improving SAP security with CA Identity and Access Management

Closing the Biggest Security Hole in Web Application Delivery

Security: The Vital Element Of The Internet Of Things

A Forrester Consulting Thought Leadership Paper Commissioned By AT&T Collaboration Frontier: An Integrated Experience

Authentication Solutions Buyer's Guide

Managed Hosting And Private Hosted Cloud Both Are Viable Alternatives To Public And Virtual Private Cloud Models

Be Direct: Why A Direct-To- Consumer Online Channel Is Right For Your Business

How To Choose An Authentication Solution From The Rsa Decision Tree

White Paper. FFIEC Authentication Compliance Using SecureAuth IdP

Which Managed Hosting And Private Hosted Cloud Option Is Right For You?

The Era Of Intimate Customer Decisioning Is At Hand

Moving Beyond User Names & Passwords Okta Inc. info@okta.com

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

EXECUTIVE SUMMARY. For Interactive Marketing Professionals. Applications

Digital Video Advertising - Advantages and Disadvantages

Securing corporate assets with two factor authentication

Accelerate BI Initiatives With Self-Service Data Discovery And Integration

Cloud Change Agents Drive Business Transformation

SOLUTION BRIEF SEPTEMBER Healthcare Security Solutions: Protecting your Organization, Patients, and Information

The New Path-To- Purchase The Connected Consumer s Cross- Device Journey

solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service?

RSA SECURITY SOLUTIONS. Secure Mobile & Remote Access

Online And Mobile Are Transforming B2B Commerce Firms That Act Now Will Gain Appreciably, Companies That Don t Will Fall Farther Behind

White paper. Four Best Practices for Secure Web Access

February 15, 2012 Updated: February 22, 2012 The Forrester Wave : Risk-Based Authentication, Q1 2012

Software Integrity Risk Report

Transcription:

A Custom Technology Adoption Profile Commissioned By RSA December 2013 Consumer Web Portals: Platforms At Significant Security Risk

1 Introduction The increasing number of digital identities, prevalence and impact of data breaches, and loss of customer information are driving a heightened requirement for effective consumer-facing identity and access management (IAM) solutions. Many organizations with consumer portals, however, do not have effective protections in place. This RSA-commissioned profile of business-to-consumer (B2C) security decision-makers in the financial services, healthcare, government, and online merchant sectors evaluates security around consumer portals based on Forrester s own market data and a custom study of the same audience.

2 Security Pros Are Standing Pat On Consumer-Facing Identity And Security Improvements Forrester sees clear majorities of firms engaging in online consumer engagement in an identity-enabled way. In our Forrsights Security Survey, Q2 2013, 56% of IT security decision-makers reported that they either have implemented or plan to implement consumer identity theft/fraud management; 60% have implemented or plan to implement consumer IAM (see Figure 1). However, we have reason to doubt the security of all of these consumer portals. When asked what security solutions they use to protect their consumer-facing web portal, the top response of these security pros was standard single-factor authentication involving a user name and password (83%), with forgotten-password resets through either challenge questions (62%) or an emailed link (58%). A much smaller population of respondents reported using two-factor authentication or risk-based detection tactics (see Figure 2), both of which can increase the practical ability to authorize access by the right people to the right applications. Often, the reason for such light security is the fear of a negative user experience, leading to lower rates of consumer conversion, such as shopping cart abandonment. We see security pros becoming more aware of stronger authentication options, however, as they attempt to battle security and fraud risks. Respondents showed significant interest in using hardware one-time password tokens, mobile-device-generated passwords for two-factor authentication, and certificates stored on a device for twofactor authentication (see Figure 3). FIGURE 1 More Than Half Of Firms Have Already Adopted Identity-Related Technologies Focused On Consumers What are your firm s plans to adopt the following identity and access management technologies? Planning to implement in a year or more Planning to implement in the next 12 months Implemented, not expanding Expanding/upgrading implementation Consumer identity theft/fraud management 8% 13% 23% 13% Consumer identity and access management 9% 13% 26% 12% Base: 1,171 IT security decision-makers Source: Forrsights Security Survey, Q2 2013, Forrester Research, Inc.

3 FIGURE 2 Organizations Typically Protect Consumer-Facing Web Portals Using Weak Password-Based Methods What security solutions do you use to protect access to your consumer-facing web portal? User name and password 83% Forgotten-password resets through challenge questions 62% Forgotten-password resets through an emailed link 58% Required strong/two-factor authentication for users performing high-value or sensitive tasks Risk-based authentication for silently assessing anomalies at the front door of the portal 42% 46% Optional strong/two-factor authentication for users who choose to use it Risk-based detection of anomalies for the length of the user session 33% 31% Base: 48 IT security decision-makers Source: A commissioned study conducted by Forrester Consulting on behalf of RSA, October 2013 FIGURE 3 Security Pros Are Showing Interest In A Variety Of Stronger Authentication Techniques What are your firm s plans to adopt the following strong authentication approaches? Not interested Planning to implement in a year or more Planning to implement in the next 12 months Implemented, not expanding Expanding/upgrading implementation Interested but no plans Hardware one-time password token (e.g., RSA SecurID) 22% 7% 11% 27% 12% 16% One-time password generated by a mobile device application for two-factor authentication 24% 9% 12% 19% 11% 19% Certificate stored on a device for two-factor authentication 18% 9% 14% 26% 10% 17% Risk-based or context-based authentication leveraging mobile device or desktop or application details Transaction or document signing token using a mobile device application 24% 11% 12% 18% 9% 20% 26% 8% 12% 19% 7% 20% SMS text message sent to a mobile device (bring your own token) 31% 7% 12% 16% 7% 20% Base: 1,171 IT security decision-makers ( Don t know responses have been omitted) Source: Forrsights Security Survey, Q2 2013, Forrester Research, Inc.

4 Breaches Pose A Heavy Risk To Businesses Security pros are, of course, greatly concerned with the multitude of security threats to their consumer-facing web portals, and with good reason: Weak authentication, authorization, and fraud detection capabilities present a known and growing risk. Adobe recently disclosed a breach of credentials and credit card data for more than 38 million consumers, requiring all of them to go through a password reset experience and enabling hackers to learn passwords commonly shared by users across sites. 1 Users reuse passwords in this way to simulate single sign-on (SSO); unfortunately, this faux method is much more vulnerable to attacks than true SSO, particularly when real SSO is combined with strong and risk-based authentication. Survey respondents told us that privacy issues, loss of consumer trust, and regulatory compliance are the top three threats they see from consumer portals, with at least 70% of respondents ranking their level of concern for each of these as a 4 or 5 on a 5-point scale (see Figure 4). And loss of business due to a poor customer experience resulted in well over half (59%) of respondents expressing this level of concern. Breaches put many types of data at risk. Forrsights data shows that two of the three most common types of data to be compromised among companies that had been breached were personally identifiable information (32%) frequently used as the basis for security challenge questions and authentication credentials (25%). Both of these, when used without compensating controls in the form of stronger authentication, authorization, and contextual fraud detection techniques, can give attackers the means to gain full access to consumer accounts and inflict the most damage (see Figure 5). Further, these breaches can result in many different types of business value walking out the door. Even a soft risk like loss of consumer trust in a portal can have significant revenue implications. Nearly all of our respondents (92%) were using their consumer web portals for direct monetary transactions with the majority being used for transactions higher than $1,000 (see Figure 6).

5 FIGURE 4 Security Pros Report Great Concern About Both Hard And Soft Business Risks Related To Security How concerned are you about the following security-related aspects of your consumer-facing web portal? 1 Not at all concerned 2 3 4 5 Very concerned Privacy issues Loss of consumer trust in our ability to keep them secure Regulatory compliance 2% 2% 2% 2% 2% Loss of business value due to fraud 2% 4% Providing the right access to the right people 21% 44% 33% 21% 50% 27% 25% 35% 38% 27% 38% 31% 25% 50% 19% Mass breaches 6% 27% 29% 38% 2% 4% Denial of service attacks 29% 27% 38% 2% 2% Loss of business due to poor customer experience 38% 38% 21% Base: 48 IT security decision-makers (percentages may not total 100 because of rounding) Source: A commissioned study conducted by Forrester Consulting on behalf of RSA, October 2013 FIGURE 5 Authentication Credentials Of Various Types Are A Frequent Data Breach Target What types of data were potentially compromised or breached in the past 12 months? Personally identifiable information 32% Intellectual property 29% Authentication credentials 25% Other personal data 20% Other sensitive corporate data 18% Corporate financial data 17% Website defacement 16% Payment/credit card data 12% Account numbers 12% Other 2% Don t know 13% Base: 578 IT security decision-makers who had a data breach in the past 12 months Source: Forrsights Security Survey, Q2 2013, Forrester Research, Inc.

6 FIGURE 6 Financial, Healthcare, Government, And Merchant Consumer Portals Support Significant Transaction Value What is the highest-value transaction that consumers can perform through your web portal? More than $1,000 60% Up to $1,000 21% Up to $100 8% Up to $10 2% Indirect or nonmonetary value 6% Zero business value (e.g., all content is publicly available) 2% Base: 48 IT security decision-makers (percentages do not total 100 because of rounding) Source: A commissioned study conducted by Forrester Consulting on behalf of RSA, October 2013 Key Findings And Conclusions: Desire And Reality Are Badly Mismatched When It Comes To Consumer Web Portal Security Security pros can see that poor security in consumer web portals leads to significant direct risks, such as loss of transaction value through fraud. But they may not yet be connecting poor authentication, authorization, and fraud detection strategies with the resulting business risks, such as the loss of trust in the business by consumers forced to perform password resets in the case of a breach or even simple loss of business value due to a poor consumer experience that gets in the way of a transaction. While these professionals recognize that there s a wide world of stronger controls out there, most of them have yet to make the leap to recognizing the dramatic impact such controls could have: They can avoid a great deal of password reset pain, consumer dissatisfaction, and a cascade of other negative impacts to the business simply by catching fraudsters ahead of time. Methodology This Technology Adoption Profile was commissioned by RSA. To create this profile, Forrester leveraged its Forrsights Security Survey, Q2 2013. Forrester Consulting supplemented this data with custom survey questions asked of US enterprise security leaders (managers and above in title) directly involved in decisions regarding security for their consumerfacing web portals. The auxiliary custom survey was conducted in October 2013. For more information on Forrester s data panel and Tech Industry Consulting services, visit www.forrester.com.

8 Related Forrester Research Introducing The Customer Authentication Assessment Framework, Forrester Research, Inc., June 12, 2013 Inquiry Spotlight: Consumer-Facing Identity, Q4 2012 To Q1 2013, Forrester Research, Inc., March 22, 2013 Navigate The Future Of Identity And Access Management, Forrester Research, Inc., March 22, 2012 ABOUT FORRESTER CONSULTING Forrester Consulting provides independent and objective research-based consulting to help leaders succeed in their organizations. Ranging in scope from a short strategy session to custom projects, Forrester s Consulting services connect you directly with research analysts who apply expert insight to your specific business challenges. For more information, visit forrester.com/consulting. 2013, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. For additional information, go to www.forrester.com. [1-M6O2QN] Endnotes 1 Source: Nick Bilton, Adobe Breach Inadvertently Tied to Other Accounts, The New York Times, November 12, 2013 (http://bits.blogs.nytimes.com/2013/11/12/adobe-breach-inadvertently-tied-to-other-accounts/).

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information