NEC’s Gohringer cuts through the misconceptions that surround biometrics and puts forward the business case for the integration of biometric technologies into a company’s security strategy.
Bond movies will always be associated with state-of-the-art technology, but few of the products he uses or encounters ever make it into the real world. A car that turns into a submarine might be nice to have or an umbrella that transforms into a rope ladder useful on the odd occasion, but their uses in everyday life are limited.
There is one exception to the James Bond rule – biometrics – the technology that uses unique, physical geometry to identify and authenticate individuals.
According to market research group Frost & Sullivan, the biometrics market will reach a phenomenal $2.05 billion by 2006 (it was valued at just $93.4 million last year).
Concrete evidence for the growth in biometrics is starting to proliferate. The Home Office has announced that it is planning to install biometrics in 10 UK airports by the middle of next year to assist immigration control. The Nationwide Building Society is running extensive biometrics tests using iris scans in place of PINs at cash machines. Most recently, the Home Secretary announced that national ID cards – to be phased in over the next five years – will incorporate biometric data access via fingerprint recognition.
However, for most organisations, there are two understandable questions that need to be answered before biometric identification will reach the boardroom agenda:
1. "When budgets are tight, what is the business case for investing in yet more security technology?"
2. "Aren't there fundamental drawbacks with biometric technology?"
The second issue is currently the source of most controversy in the media. For years films such as Minority Report have presented a rather superficial interpretation of biometrics. Eyes have been gouged out to gain access to computer networks and "fake" or severed fingers used to access a building.
The reality is far less dramatic. As the use of biometrics becomes more common place, people will realise that the risk is no greater than being forced to reveal a password or to hand over an access swipe card. Indeed, the risk is much less, thus representing an improvement over and above the existing solution already in place. In fact, one of the key benefits of biometrics is that even if an 'identity' such as an access card or password is stolen, without the correct authenticating biometric, access will be denied. The same applies to the sharing of passwords, helping businesses and organisations control who can and cannot access certain areas.
In addition to the physical risk, with biometrics comes the perceived threat of 'Big Brother', with concerns of data compilation and movement monitoring. While there is no escaping the fact that in the wrong hands this could be the case, in reality the threat is no greater than your bank recording the cash points you have accessed, mobile phones being used to track your whereabouts, a supermarket using loyalty cards to track your spending patterns or in fact, a security company monitoring the comings and goings of staff via CCTV.
There is no doubting that to dispel the notion of a Big Brother state an education programme is needed to highlight the benefits of biometric security (e.g. the ability to protect a person's identity, the near elimination of passport fraud and the ability to store important data without the threat of unauthorised access). However, the greatest support will be won once biometric security is fully integrated into daily processes, whether logging on to the network at work or withdrawing cash without the threat of skimming from a cash machine.
The business case for biometrics, once explained, clearly demonstrates three primary reasons as to why a business should adopt biometrics:
· To improve an organisation's security by providing positive identification of individuals accessing your premises and networks
· To save large sums of money by eliminating user provisioning and password management
· To increase usability and convenience to staff
What's the point of spending a vast amount of money protecting and securing your networks if you still can't positively identity who is accessing them? Obviously none but this is exactly what most companies are currently doing.
Standard corporate user IDs and passwords used to govern the physical and virtual access to a company and / or network tend to follow the same format. The most common being the first letter of the user's first name and the whole of their surname for a username i.e. cgohringer for Carl Gohringer. The bottom line for a business is that IDs can generally be cracked with one or two educated guesses. So assuming there is little or no security around IDs, a company's security depends solely on the strength of passwords.
Again, if you know a little about the people whose passwords you are trying to guess, it often does not take much to figure it out. There are plenty of available password cracking utilities easily accessible on the Internet to help you out.
The question is how big an issue are ID/password breaches? It's difficult to be precise, but we do know that 60-70% of hacking attacks have an internal source (i.e. are conducted by people who know something about each other and for whom, ID/password theft would be relatively simple). And, to give you an idea of the financial impact, last year 39% of Fortune 500 companies suffered an electronic security breach at an average cost of $50,000 .
Biometrics tackle this problem by providing a truly unique individual identifier. If access to either a building or network is controlled by a smartcard containing biometric templates, you can be sure that only the valid owner of the card will be able to access those resources. Access rights to different buildings and rooms can also be set – via the smartcard - for each individual; and with emails increasingly being used as legally binding documents, biometrics can guarantee identity by requiring the user to supply their fingerprint when digitally signing them.
Ant Allen, research director at analyst house, Gartner Group, sums up the benefits of biometric human authentication: "It is unique to the individual, not something that somebody else decides will be your password, shared secret or token. Passwords can be learnt by various means and tokens can be stolen, but biometrics cannot."
Increased convenience, less money wasted
The ID/password combination is also inconvenient for staff and financially inefficient for companies to manage.
Just think about the number of passwords you may have to remember in a given day: the password for your office network; the number to access voicemail on your phone; the 'unlock' code for your PDA and so on.
Inevitably, passwords are forgotten or compromised on a daily basis, which results in the IT department being pestered for a new code. The cost of maintaining passwords is costly and with this in mind, the ROI on biometrics is commonly realised in less than a year. IT staff are then freed up to focus on other, potentially revenue-generating issues.
In place of this often forgotten, easily hacked, regularly shared password, a biometric smartcard gives employees single-sign-on access to the corporate network, which eliminates the need to remember numerous passwords and PINs and removes the cost of managing them for the IT department.
The present and future of security
The benefits of biometrics can potentially run much deeper. For example, many public sector organisations see biometrics as a useful tool for improving customer service. In a hospital environment, facial recognition can identify a patient on arrival and ensure their medical records are ready for when they arrive at reception, enabling them to be instantly directed to the appropriate ward.
However, the purpose of this piece is to examine the impact on bottom line. In this respect, the case for biometrics is extremely powerful. Not only are they an essential tool to prevent your business losing large sums of money to cyber crime, on a day-to-day basis biometrics can dramatically reduce management and administration costs.
So next time you see James Bond or Tom Cruise battling biometrics in the movies, consider their potential for saving you money and giving your business robust insurance against the financial risk of hacking.