Whether you’re talking about online banking, digital health passports or online shopping, there’s practically no service on the Internet today that does not rely on a login procedure that verifies the identity of the user and ensures the protection of their digital identity. Given the sensitive nature of personal data, customers have very high expectations of providers’ login procedures. Users generally trust IT decision-makers – but is this leap of faith justified and are companies fully exploiting the security measures available for protecting customer data? The representative Nevis Security Barometer 2021 provides some revealing information about the discrepancy between optimal security convenience and the flawed priorities of some IT decision makers.
In April 2021, the IT experts at Nevis surveyed 500 German IT decision-makers and 1,000 German consumers aged 14 and over for its representative Security Barometer in cooperation with the opinion research companies Civey and mo’web research. The study is dedicated to topics such as password security, login behaviour and the use of passwordless multi-factor authentication in companies.
Focusing on customer expectations: people want maximum security
The IT decision-makers included in the Security Barometer 2021 are unanimous in their assessment of sensitive customer data. A large proportion of the information requiring special protection is data from the healthcare and finance sectors which is used in digital services: banking and financial data occupy the first place with 67.2 per cent and, according to the IT decision-makers, are particularly worthy of protection. Health data follows in second place with 63.8 per cent and online account login data in third place with around 55 per cent. The results are in line with the desire of many companies to offer their target groups a secure digital customer experience. In just under 60 per cent of the companies, the customer journey has a high to very high significance, of which 37.4 per cent fall into the “very important” category.
Ten per cent of companies are forgoing enhanced IT security measures
In practice, the application of suitable security measures is not as widespread as the claims of some companies would suggest. Although the minimum length of passwords is enforced in 61.8 per cent of cases and a regular change of access data is carried out in around 50 per cent of cases, particularly secure two-factor authentication (2FA) is used in less than half of the companies surveyed (48.5 per cent). To make matters worse, more than ten per cent of the experts surveyed completely forgo increased IT security precautions – there is room for improvement here. After all, 2FA is ideally suited for comprehensively protecting sensitive data from hacker attacks due to its combination of several identification criteria such as PIN and password as well as at least one biometric piece of information. The consequence of these shortfalls is that security convenience is not fully optimised and customer needs are not satisfied.
Insufficient need for action versus optimal security convenience
The many reasons cited against passwordless authentication can be traced back to a single common core: IT decision-makers currently see no need to adapt their authentication procedures. The answer “no objections” to passwordless authentication came first with 28.2 per cent, followed by satisfaction with the existing method (24.6 per cent). What is dicey is the third-placed reason, given by almost one in five IT decision-makers: the topic is simply not currently a priority. Considering the potential dangers, the high percentage making this statement is quite worrying, especially since it should be part of any IT decisionmaker’s job to be very familiar with the relevance of data and password security and the consequences of a cyberattack for companies. The different security measures in companies are thus not due to a lack of expertise, costs (9.5 per cent) or a lack of resources for implementation (5.3 per cent). It is simply the mindset and the subjective risk assessment made by the IT decision-makers that determine the type of authentication used and thus the level of protection of customer data.
Without a doubt, IT decision-makers are well aware of their customers’ needs and expectations. To live up to them, companies usually follow the standard requirements for login procedures, such as a twelve-digit password. But as soon as it comes to the use of new, secure authentication methods that enable optimal security convenience, many IT decision-makers hesitate. Apparently, new methods such as passwordless authentication or 2FA are still not being given enough attention to persuade the majority of respondents to change their existing procedures – to the detriment of customers and the companies themselves. What is urgently needed is a new prioritisation by the experts that will focus their attention on the consistent optimisation of their own as well as the company’s internal security awareness.
By the way: Nevis has summarised further results of the study among consumers and a survey of 500 IT decision-makers on the topic of IT and login security in the new Security Barometer 2021.