SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
The value of trust in the age of data breaches
Fri, 30th Oct 2020
FYI, this story is more than a year old

Change is in the air. From the United Kingdom and the United States to Australia, governments are implementing more robust cybersecurity, and authentication programmes and local governments should take notice.

In a recent research report commissioned by an insurance comparison service, it was determined that small businesses bear the brunt of 43% of all cybercrime targets in Australia, and that that the online activities of nearly half of Australian employees have put the organisations they work for at risk.

A recent report from Avast suggests that cyber breaches have risen in Australia over the past twelve months, and that PC users are nearly 5% more likely to experience an attack than they were in 2019.

It is also well documented that the COVID-19 situation has opened up many more attack vectors for enterprising cyber-criminals to target, with a swathe of the population in Australia now working remotely, without the protections of enterprise-grade firewalls and network security.

The Australian Cyber Security Centre (ACSC) reports receiving reports about Australians losing money or personal information in COVID-19-related scams. It has also responded to 20 cybersecurity incidents affecting COVID-19 response services and disrupted more than 150 malicious COVID-19-related websites with assistance from Australia's major telcos.

Many people see the damage of personal data theft firsthand. Since it is practically impossible to avoid using the internet today, all parties are put under increasing pressure to implement better security practice to protect their personal information.

Governments are no exception. The Australian Government's Australian Signals Directorate (ASD) has issued the PROTECT framework, which aims to encourage safer online practices as well as multi-factor authentication across public and private enterprise. Governments worldwide seek identity solutions that deliver not only improved security, but also privacy, interoperability and better user experience.

To better serve citizens, while meeting public expectations for personal data safety, governments may want to leverage industry-backed certification, instead of rebuilding their own from scratch.

In the world of digital security, one of the most influential cross-industry alliances is the FIDO Alliance. FIDO champions simple, strong authentication, making the case that user data cannot be hacked from a server if it remains on the user device.

An example of this can be seen in Australia.

A recent announcement from the ASD represents a significant step forward in their guidance on the use of strong authentication – and lays the groundwork for other governments across the globe to easily leverage authentication products certified by the FIDO Alliance without creating their own certification programs. The FIDO Alliance certifies authentication devices to verify that they comply with FIDO specifications and meet certain security profiles.

ASD's recommendation is significant; it may the first time that a government has opted to recognise FIDO's certification program, rather than try to create one of their own.

In January, ASD's Australian Cyber Security Centre (ACSC) published updated guidance on implementing multi-factor authentication that highlights the benefits of FIDO U2F authentication.

Quoting from the ACSC website, “Multi-factor authentication is one of the most effective controls an organisation can implement to prevent an adversary from gaining access to a device or network and accessing sensitive information.

This follows recognition of the value of FIDO authentication from governments like the United Kingdom (via NCSC recommendations) and the United States (via NIST guidance).

But trust was a key challenge here - how could the government trust identity solutions that it did not issue?

While there had been some early efforts in 2011 – when NSTIC first launched – to certify a handful of non-government identity solutions for government use, the FIDO Alliance certification program stood out. The existing, globally recognised certification program was developed through thousands of hours of volunteer efforts by both industry and government, who have partnered to develop both the program as well as the underlying standards that enable simpler, stronger user authentication.

As other governments around the world consider how to best leverage identity and authentication solutions from outside of government, they have the benefit of relying on an existing, globally recognised certification program. In embracing strong authentication, there is no better time than now.