UK telecoms company Three confirmed news of the security breach on Thursday, revealing that hackers accessed its systems using an employee login, potentially putting the personal data of six million customers at risk.
This is the umpteenth time a major company has suffered a data breach as a result of an employee login falling into the wrong hands.
eBay, Sony, Sage and other large corporations have suffered similar fates recently, and it seems that most organisations are waiting for a major breach of their own before doing anything to improve their security, which is the worst way to do things.
Advice on how to protect yourself from the Three hack
Compromised employee logins can happen to everyone – don’t let it be you
To stop security breaches using an employee login, organisations are taking a closer look at context-aware security.
Context-aware security uses supplemental information to the password to grant or deny access. This supplemental information can take the form of what device the user is using, the geographical location the user is logging in from, the time of day the access attempt is taking place, and many other factors.
Using this information, the security system can build up a strong profile of the person who’s trying to log in, and can grant or deny access immediately based on granular administrator-set access rules.
These rules, for example, can state that only administrator-approved workstations in a particular department of a building can have entry — and any attempt to log in from outside of those perimeters won’t work (or they can even trigger an automatic alert to administrators who can grant or deny access with a click).
.
Transparent Security that doesn’t impede employees
The benefit to the user is they simply don’t have to think about things. There is a system working quietly in the background to ensure a fluid user experience for everybody.
The other good news is that organisations can take context-aware one step further to disseminate good behaviour and improve the user experience. The trouble with dedicated security training these days is that people forget what the IT department teaches them, and then they lapse back into bad habits.
Context-aware security can nudge users in the right direction, for example alerting them to suspicious uses of their password. Who better to take control of security than the users themselves? Solutions that communicate with employees in this way will help disseminate good user behaviour, create a security-aware culture throughout the organisation, and ensure a consistent and non-invasive user experience all round.
