Behind the glare of recent hacks, some companies actually paying homage to data protection

Pro-active efforts set breach protection as a corporate priority
Written by John Fontana, Contributor

While more stories on corporate hacks rolled into the bad news bin last week, the good news was some executives and enterprises have been paying attention - and taking action.

Among this news and its associated nasty consequences, we pause to recognize some bits of hope for more secure days ahead.

While ex-Equifax CEO Richard Smith recently said the thought of a hack kept him up at night, it seems his words were more a revelation that he was sleeping during the work day.

Meanwhile, Jim Routh has been wide-awake during his day job as Aetna's chief information security officer. He is overseeing a new authentication system to replace passwords and providing a bright spot for a health-care industry often criticized for its inadequate security.

Also, the folks at SAP seem to have their lights on, announcing an acquisition designed to aid the company in satisfying authentication requirements for upcoming European Union mandates on data privacy.

And Google increased the lumens shining on its security game, according to news reports, with a forthcoming hardware-backed authentication system using cryptography to protect at-risk users such as corporate executives, politicians and others with heightened security profiles.

Are these lights at the end of the tunnel? It's likely too early for that, but these developments are akin to a star escaping from a black hole.

"Passwords as binary authentication tools have been standard but are really reaching an end of life," Aetna's Routh said in an interview with Information Security Media Group.

Aetna is eliminating passwords in favor of continuous behavioral authentication based on algorithms. The technology will be applied to mobile and web applications, and Routh cites security and ease-of-use as drivers.

SAP reportedly spent somewhere in the neighborhood of $350 million to acquire Gigya, which develops a customer identity and access management platform. SAP will use the technology in part to meet regulations such as the European Union's General Data Protection Regulation (GDPR) and the updated Payment Services Directive (PSD2) that go into effect next year.

Here' the light SAP sees in its efforts. A GDPR violation would result in a fine equal to 4% of revenue. For SAP, with $22 billion in revenue, that's an $880 million penalty - or $530 million more than what SAP paid for Gigya. The acquisition should make bean counters and the CISO happy - and the company's end-users safer.

We'll have to wait on Google's details, but it is extending and improving two-factor authentication that began with Google Authenticator and has extended to public key cryptography solutions based on FIDO Alliance protocols.

The only head shaking revelation this week is that ex-Equifax CEO Smith may drift away from his former company's carnage on a $7.6 million golden parachute.

We can only hope those doing the work to build better authentication systems eventually get the recognition they deserve.

(Disclosure: My employer is a member of the FIDO Alliance)

Editorial standards