Your end user has a relationship with your business application for only one reason. To do business with you. Anything that interferes with the security of that relationship not only disrupts your business, but also can place your customers at risk in other business relationships.
As seen with the Equifax breach in the United States, 143 million US citizens lost control of their Social Security numbers, which are used in nearly all government and banking systems. Not only were citizen business and banking disrupted, but proposed legislation in the US could fine companies like Equifax up to $100 per affected user for future disclosures.
The US federal, state, and local government agencies don’t fare much better than Equifax in a 2016 report by Security Scorecard, whose cyber security report ranked government agencies in last place. Previous news of hackers from Russia and China stealing four million federal employee records and 100,000 tax returns seem to underscore the problem. Recent allegations in the US and abroad of election interfering and influence don’t seem to brighten the prospect of protecting users who trust these foundational systems.
The relationship between the many organizations holding citizens’ data, including government agencies, and the public they serve is essentially built around trust – trust that can all too easily evaporate if there is a data breach. Quite simply, the public expects health records, tax, social security and driving license information to remain confidential and secure – full stop – whether these are held by government directly or by the external agencies that support these services.
For the citizen, the fallout from hacking goes far and wide – not least in terms of potential intrusion, identity theft, or financial losses from fraudulent activity – but there are also the indirect consequences of data breaches that affect tax-payers to factor in: for example, benefit fraud and loss to the exchequer.
eGovernment Services Moving Forward
As governments around the world move further towards the eGovernment model (the use of information and communication technologies to enhance delivery of government services while moving the administration responsibility onto the citizen) the problem only gets worse; this is partly because such systems are new and also because of their sheer scale – both factors amplify the potential for mass intrusion. Moreover, because these services tend to be supplied by a complex ecosystem of public and private sector relationships, the issues of trust extend beyond government and across the commercial landscape: the provision of health or vehicle insurance are two obvious examples.
Solutions that can’t be hacked
So what should be done? What is needed is a security solution, which can be delivered at scale – one that removes single points of compromise, one that ensures the identity of every user requesting access, and one that removes all current known risks within a system.
When Experian was looking to provide highly secure authentication to millions of UK citizens in its role as a certified identity assurance provider for GOV.UK Verify, the credit scoring and information services supplier looked for a way to safeguard processes such as driving license renewal and tax returns. Experian took a zero-knowledge approach that neither sent nor stored passwords, PINS or authentication credentials of any kind – so these couldn’t be hacked.
In contrast, if your citizen data is stored behind security requiring password permissions, it is not safe: stolen authentication credentials from a password database allow a hacker to move undetected across your network with all the security implications outlined above. Password database breach is the single largest cybersecurity threat to any government or commercial organization.
Consequently, using a security system that does not require the use of passwords – and, in turn, a password database – will make password hacking a thing of the past. This will ensure that citizen data is secure, regardless of where it is stored, or who is responsible for securing it.
It’s time to protect your reputation and your trust with citizens and customers.
MIRACL’s use of a zero knowledge proof (or process) allows any user or device to confirm their identity without revealing any valuable information about themselves. Learn about MIRACL Trust® multi-factor authentication, which features our zero knowledge proof.