iPhone X and Security: Becoming James Bond and Protecting Your Organization
Published September 21, 2017 • By Karen Walsh • 4 min read
When Apple announced its high tech facial recognition software, the iPhone X and security suddenly stepped out of the dark and into the light. For many, the ability to hold up a phone and unlock it with your face seems like something out of a James Bond movie or a science fiction spy book. We may not have Marty McFly’s hoverboards on our sidewalks, but we will have James Bond-esque biometrics in our hands. Where do iPhone X and security overlap? Looking at the compliance landscape, the reasons for the iPhone X FaceID are the same reasons you need to secure your password management program. If you’re looking for the compliance equivalent of smartphone technology‘s ease, complete this form to schedule an appointment with one of our GRC experts.
How the iPhone X and Security Concerns Correlate
Two-factor and multi-factor authentication requirements are rapidly becoming business norms. Protecting data means finding as many ways as possible to thwart malicious intentions. Security analysts have long noted that facial recognition isn’t that safe. In fact, Samsung even admitted that the Galaxy S8’s recognition software was flawed in the early stages. Many security professionals have therefore been wary about Apple’s FaceID. Unlike others facial recognition programs, however, the Apple model uses 3D scanning to create the saved image. This means that it looks at more data points and angles to make its recognition as precise as possible. For everyday users, the available information is contentious. Apple argues that FaceID is safer. News outlets argue that there could be better options. Some even argue that it would be safest to require passcodes, so why move on to face scanning if that isn’t actually a security upgrade?
Why You Need to Promote Security Awareness
One of the largest security flaws in any organization is its employees. Human error and human laziness are two of the largest reasons that Apple is moving to facial recognition technology. The same problems plague your organization. Why not continue to unlock smartphones with passcodes? Because people don’t make strong passwords. They use easy-to-remember passcodes or default passcodes. In fact, in the wake of the Equifax breach, news outlets noted that the company used “admin” as the password for one of its non-US databases. Technology companies created facial recognition and fingerprint identification in response to ongoing security awareness problems. These are precisely the problems that put your organization at risk. If employees don’t understand the value of protecting their own information, they may not understand the value of protecting yours.
How to Incorporate Security Awareness into Your Information Security Management System
Just because an organization understands the value of security awareness, it might not easily incorporate that understanding into its information security management system (ISMS). The goal of any ISMS is to mitigate security risks. Training employees is the cornerstone of that mitigation. The problem is that trainings need to occur more than once a year. They need to be ongoing and engaging—if people don’t see the value, they tune out. Security awareness needs to be more than a top-down mandate governed by your IT department. Employees need to understand that just as others are protecting them, they need to help protect you.
Why an Effective Information Security Awareness Program Needs You to Be James Bond
To promote security awareness, you need intelligence on employee habits. Though you’re not walking around in a tuxedo carrying your stirred martini, you’re still sleuthing. Understanding employee habits and weaknesses requires documentation of your compliance standards and controls. Whether you’re reviewing user authentication settings or creating a password management program, you need to go undercover to understand how employees are engaging with your systems. Gaining intel doesn’t mean looking over employees’ shoulders. If you send out fake phishing emails to test employee savvy and employees still click through, then your trainings aren’t working.
Why Automating GRC Is the iPhone X of Infosec Compliance
GRC automation and the iPhone X FaceID fulfill the same ease of use function. Where FaceID intends to ease the consumer burden of passcode strength, GRC automation eases the burden of security documentation, reporting, and tracking. Documenting security awareness training means engaging in metrics that involve all employees. To do this, you need to track new employees as well as current employees. You may have to follow up with employees who did not take the training. You have to make sure that they pass the training with the grade required by your policy. Moreover, employee education may be an objective for more than one program. You need to be able to map that objective easily across the different programs and standards. Then you need easy access to reports that show your compliance. With the ability to incorporate multiple standards into your program, you have the ease of one-touch reporting capabilities. Instead of having to review multiple pages of spreadsheet documentation, you can more easily compile the data for your auditor. With a single source of truth, you can easily and seamlessly prove your compliance. Just as consumers simply need to look at their phones to turn them on, you simply need to push a button to prove your compliance. Whether you like your martinis shaken or stirred, what you undoubtedly will like is the ability to meet audit documentation requirements easily. To see how you can become James Bond, book a demo, tuxedo optional.