Motivated by the need to minimise losses arising from unauthorised access and activities, local companies are increasingly deploying biometric-based security solutions. In southern Africa, over 60 000 fingerprint scanners now control the physical access for 2.5 million employees, making it one of the world's biggest markets for biometrics.
For several years, organisations have been replacing cards, PINs and passwords with fingerprint-based identification to strengthen physical security and more accurately monitor people's attendance and location. Biometrics has demonstrated consistent effectiveness within environments ranging from mines, factories and warehouses to offices, colleges and residential estates.
What is fuelling the increased use of biometrics?
The large-scale adoption of biometrics within physical security has been driven by its ability to accurately identify people and to manage their access and activities accordingly. Cards, PINs and passwords (CPPs) are not an effective way to identify people: for example, one person can use another person's card, or clock-on for that person.
This form of abuse is so widespread within payroll solutions that for some organisations the biometric business case is based on straightforward ROI: biometrics pays for itself by preventing the losses caused by buddy-clocking. Make the investment, cut the losses. Simple as that.
In other organisations, the investment in biometrics might be based on the need to prevent and deter theft by strictly controlling and monitoring access to specific areas. Once again, biometric-based security is considered a cost-effective means of reducing losses.
IT security risks created by CPPs
Most organisations are reliant on passwords or cards and PINs to authenticate IT users and authorise their activities. And yet the exploitation of these credentials is the most common method for gaining unauthorised access to corporate systems and sensitive data. They are so frequently exploited because they are so easy to exploit.
As a security measure within physical access solutions, it is acknowledged that the inherent insecurity of CPPs is caused by four fundamental flaws: they are all routinely lost, forgotten, shared and stolen.
Make the investment, cut the losses. Simple as that.
Mark Eardley is channel manager at SuperVision Biometric Systems.
When CPPs are used to control IT access, their flaws create huge security risks. Everyday, they are used by insiders and outsiders to make fraudulent payments; modify and delete data; and to steal sensitive information.
And the damage caused can be astonishing: a futures trader at the French bank, Soci'et'e G'en'erale, used colleagues' passwords to make rogue trades that cost the bank about R45 billion in 2008...
False security
So why isn't corporate IT leveraging the proven security benefits of biometrics to minimise losses caused by unauthorised IT activity?
Should corporate IT be taking a closer look at modern biometrics?
Perhaps people are so accustomed to using CPPs that the direct consequences of their abuse are overlooked. Can it be that users' familiarity with CPPs is nurturing a false sense of IT security?
In an effort to curb IT-based crime, companies might introduce strong passwords and two-factor authenticators such as chip and PIN cards, but are they ignoring the fact that these credentials are just as easy to share, forget and lose as their simpler predecessors? Are companies really just polishing poop as the losses continue to rise?
A strong password is more likely to be written down than one based on a name. So-called smart cards still get shared when someone leaves theirs at home, or in another office or in the car. It was reported last year that even American presidents have mislaid the 'biscuit', a card with the numbers that unlock a briefcase containing nuclear launch codes. Bill Clinton apparently lost his for several weeks, and Jimmy Carter is said to have sent his to the dry cleaners with a suit.
Replace CPPs with biometrics; it's a straightforward swap. Out with old, in with the new.
Whenever an IT user is required to use to a card and PIN or password, this can be replaced with a request to scan their fingerprint. It is possible to replace CPP-related dialogue boxes with a 'biometric prompt'. The software that enables this is typically used with fingerprint scanners, since this form of biometric technology is one of the most reliable and easiest to use.
IT security can certainly learn much from biometric-based access control within the physical environment. Largely as a result of trial-and-error, that market is dominated by one brand of fingerprint scanners. Costly experience has shown that not all technologies are the same: few work and many don't.
So, the next time there is an IT security breach that was based on the abuse of CPPs - and which ones aren't? - perhaps biometrics should be considered as a means to really secure the IT systems. Companies may well be surprised by how easy they are to introduce, and by their ability to stem the losses caused by unauthorised access and activity.
Share