In a recent interview with SafetyDetectives, Julia O’Toole, CEO of MyCena Security Solutions, discussed her journey and the founding motivation behind her innovative approach to password security. O’Toole’s personal struggle with password management led her to develop a breakthrough technology inspired by ancient security practices. MyCena offers SEAM solutions, which empower companies to manage encrypted passwords like keys, eliminating the need for employees to know any passwords. O’Toole also addressed alarming cybersecurity trends, the hidden impacts of breaches, and how the “Zero Trust” philosophy aligns with the future of password security. She emphasized the importance of adapting to remote work challenges through advanced security measures like those offered by MyCena.
For decades I had password nightmares and could find a way to solve my problem. The solutions on the market such as password books or password managers were all unsafe, because they all had single points of failure. If you lose your book, or lost your master password, you would have lost all of the keys to your digital life. After years of research in mathematics, neuroscience and technology, it was a travel back in time that triggered the solution.
I was wandering among the ruins of the 3,000-year-old ancient Greek city of Mycenae, when I observed how the ancient Mycenaeans had used the city’s architecture to protect their assets. Having built concentric walls around the city, you had to pass a first gate, called the Lions’ Gate to enter the city, then a second to access the garrison, then a third to access the king’s palace. There I had an epiphany: “A password is just a key. No one cuts their keys to get home. We take the right key to open the right door. In the same way, no one needs to know any passwords, you just need to use the right password for each account.”
Inspired by the security of the ancient city of Mycenae, we devised the Method of Access of Structured Stored Data and developed a state-of-the-art technology that facilitates the management of encrypted keys. It allows companies to easily generate and distribute highly secure encrypted passwords for each system in real time to employees, who then use them like keys. Consequently, employees never know any passwords and yet can open every digital door.
MyCena provides SEAM (Segmented Encrypted Access Management) solutions. From a console and without infrastructure change, companies can manage and distribute encrypted passwords for each system to users, who use them like keys. Companies can also monitor who has accessed what and when in real time from the console.
The most alarming trend is employees knowing company passwords. It is responsible for 95% of breaches. Today, most organisations let their employees create their own passwords to access their systems and data. This is like letting their employees bring their own keys to access the office or factories. As passwords can be shared, stolen, sold, reused, social engineered, this is a 10/10 in the CVSS scoring system. All it takes is for a criminal to log in using a compromised password or identity, and all cybersecurity investments are rendered useless. That explains why billions of dollars are spent on cybersecurity, yet companies continue to get breeched.
Another very alarming trend is using people’s identity for access. Identities are unique. Each person’s face, voice, fingerprint cannot be changed. Biometrics are just data, which is a series of zeros and ones. That means one stolen, the damage is irreversible, and the person is digitally dead, and their identity can indefinitely be used to commit fraud without them knowing. Biometrics are also not secret information, as voices and faces can be retrieved from photos, videos and recordings and thanks to AI, easily reused to make deep fakes.
Another alarming trend is password training. No matter how trained you are, if you create and know the password, criminals can steal it from you and use it to login. With 2FA being so easy to steal, the combination of password training and 2FA are very weak protection and create a false sense of security. To avoid such risks, employees should not be creating their company access or knowing them.
A password-related security breach is similar to someone stealing the key to a site. If the criminal finds a privileged access that gives command and control of part of the whole network, this can lead to business interruption, ransomware, data loss, identity theft, espionage, lawsuits, class-actions, repair and recovery costs, reputation loss and even bankruptcy.
Beyond the operational costs, the impact down the road, sometimes years after the breach, can be prosecution of directors and officers that can lead to hefty fines and prison.
Once in the network, criminals can also leave backdoors so they can come back for another round later.
“ Zero Trust” is a buzzword, but the philosophy of not trusting people, because people make mistakes, is a sound. Mistakes are exactly what Segmented Encrypted Access Management prevent. By ensuring people don’t know the passwords of their organisation, they can no longer make mistakes. This is the future of password security.
With the rise of remote work, the surface of attack for criminals has expanded and they can more easily target people in their own home. As people often use the same or similar passwords for personal and work accounts, one phished or social engineered password from any personal or professional account can be used to access the company network and vice-versa.
Companies can adapt very quickly by making sure their employees never create or know their passwords. As there is no infrastructure change required, MyCena SEAM (Segmented Encrypted Access Management) solutions can be implemented for all their access ( RDP, SSH, web apps, local apps, IAM, PAM, SSO, legacy systems…). That puts an end to password phishing, reuse, sharing, writing, browser-in-browser or MiTM attacks, and stops 95% of breaches before they can happen.
Companies can also use the IP restriction and device restriction features on MyCena to make sure employees can only access their company applications and data from certain locations using only authorised devices and prevent them from saving company passwords in their browser.