Why employee login credentials are ‘the weakest link in security’

22 Sep 2023

Richard Morrell. Image: My1Login

Richard Morrell, CTO at My1Login, discusses the issues of passwords and traditional access credentials in relation to cybersecurity.

Richard Morrell is the chief technology officer at My1Login, a cybersecurity company that tackles the cybersecurity risks associated with corporate user identities, usernames and passwords through the provision of an identity management solution.

Morrell’s role at the company is to “facilitate an environment where people can create and innovate”.

He says that this is achieved through building systems and processes that remove barriers to getting things done, providing a safe space that allows the team to take risks and make mistakes, and “most importantly, attracting and empowering some great talent that help us to achieve the ambitious goals we have set ourselves”.

‘AI is playing a major role in the security industry’

What are some of the biggest challenges you’re facing in the current IT landscape and how are you addressing them?

The challenges we most frequently hear about from enterprises relate to the security risks associated with leaving the management of employee credentials and passwords in the hands of the workforce.

Traditional single sign-on (SSO) solutions typically help protect a small subset of core enterprise applications, but the real risk to enterprises is the data stored in cloud applications that IT teams are unable to integrate with existing SSO solutions, or are simply unaware of, creating blind spots in enterprise security.

Malicious actors have come to understand that workforce access credentials offer them keys to the digital kingdom of the enterprise, so they are constantly developing innovative ways to target employees with phishing scams or exploit password reuse by using workforce passwords that have already been exposed on the dark web.

Unfortunately, many people fall for the scams because the scams are too sophisticated to detect to the untrained eye or people are too busy to give them the proper scrutiny required. Then when criminals manage to steal the credentials, they access the corporate network, perform a data breach or execute ransomware.

This is a key challenge that businesses face today, as they need a way to safely manage access for their entire workforce, without compromising security or impacting productivity.

My1Login addresses the risks of the blind spots created by traditional identity management solutions by providing the most widely compatible solution on the market, and this can be configured to run in the background, meaning no user interaction or training is required. Our solution removes passwords from the hands of users and automates the enforcement of password policies on external applications to heighten security, increase employee productivity and make it much harder for criminals to execute a successful, password-based cyberattack.

What are your thoughts on digital transformation in a broad sense within your industry?

In the last few years there has been a major drive among all industries towards digital transformation. This has typically been centered around migrating services to the cloud, although more recently we’re seeing AI emerge as a digital transformation workstream.

This has had both positive and negative impacts.

From a positive standpoint, digital transformation has acted as an enabler, allowing enterprises to access a level of agility, scalability and resilience historically unattainable with on-premise applications and infrastructure.

However, the possible downside is that it all comes with increased cyber risk.

As enterprises provide the workforce with more remote access to systems and cloud applications, it increases the attack surface. It also makes it harder to know whether the person accessing the corporate services and data is who they say they are. Unfortunately, in many instances this access is undertaken by a malicious actor with stolen, reused or easy-to-guess employee credentials.

This is a major challenge for businesses as they need to find a way to maintain security across all distributed applications and infrastructure, particularly as their network grows through the deployment of cloud applications.

Sustainability has become a key objective for businesses in recent years. What are your thoughts on how this can be addressed from an IT perspective?

As businesses grow, they inevitably use more resources. They take on more staff, more services and add new functions and capabilities to their offerings. This can lead to duplication, silos and service offerings that are poorly integrated or not integrated at all – especially if the expansion is rapid. It’s then IT’s responsibility to not only install, maintain and support these disparate systems, but to find a better solution. It’s the IT team who then have to expend the effort and energy to bring order to this chaos by making the existing systems faster, more accessible and easier to use for the business, whilst finding efficiencies and cost savings that help the business maintain its competitive edge.

The first step on that journey is having tools that help the IT team to discover and track what is being used within the business, which in itself is a challenge with home and hybrid working still being a popular choice with employees. Then the process of standardising and rationalising can begin, which allows the business to benefit from economies of scale and reduced consumption of IT resources, whilst releasing cost savings as a result of removing duplication of software licenses and services.

What big tech trends do you believe are changing the world and your industry specifically?

AI is playing a major role in the security industry, which is both exciting and alarming.

Firstly, innovations in AI are opening doors of opportunity, such as lowering the coding barrier to entry, alleviating repetitive security tasks and also aiding cyber detection.

However, in tandem with this, it also widely being used by nefarious actors.

Today, criminals are relying on tools such as FraudGPT to target businesses with phishing emails and scams with a speed and accuracy never seen before. AI can be prompted to create the most realistic phishing emails, which are perfected down to the font, tone and artistic style of a business, and encourage victims to hand over sensitive information, such as bank information or corporate login details.

This is a worrying trend which again heightens the importance of using a modern identity management solution that can remove passwords from the hands of the workforce, so they are unable to reveal their login details, even when faced with a highly sophisticated, AI-driven attack.

What are your thoughts on how we can address the security challenges currently facing your industry?

Employee login credentials are widely regarded as the weakest link in security because enterprises have too many to comprehensively manage. Every employee holds multiple corporate logins and it becomes an impossible task for them to remember these without resorting to insecure practices.

This is the key challenge businesses face today, because as soon as one of these logins falls into the wrong hands, it is the business that faces the devastating consequences.

My1Login helps enterprises address this challenge by removing passwords from the hands of users. This means the workforce no longer needs to remember multiple passwords, they simply login into their computer as normal and then gain secure, unobtrusive access to the apps they are permitted to use.

Employees can access systems without seeing the passwords, vastly reducing the likelihood of a password-related breach and closing the door on phishing attacks.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.