Marr made his comments today to coincide with Data Privacy Day in Australia, also observing that as technology has changed, data privacy laws have had to evolve, especially in making it easier for consumers to understand and influence how their data is being used.
“GDPR itself was a response to consumer demand for privacy and security, and it serves as a benchmark for other data privacy laws, including Australia’s,” added Marr.
Acording to Marr, as cyber threats multiply in volume and techniques used to target the institutions and their users become increasingly sophisticated, we are seeing more regulatory changes in Australia.
“This year alone, we expect to see more progress on regulatory guidance around access control, user access management, robust password policy and strong authentication baked into proposed laws in Australia such as the Online Privacy Bill, Critical infrastructure bill and Trusted Digital Identity Bill.
“Identity and access management will become a compliance .
These regulations mandate the need for organisations to safeguard against unauthorised access to their information assets and IT environment. The onus is on organisations and service providers to ensure their users can securely access the correct content at the correct time, while managing the complexity of the number of platforms, devices and user interfaces,” Marr said.
According to Marr, organisations now need to force the issue to protect themselves and their customers.
“Authentication is much more than an email and password combination. One Time Passcodes and biometric security are mainstays of Multi-factor Authentication (MFA), but consumer-facing businesses have often avoided them. The fear is that they add friction to the customer journey,” Marr said.
“In fact, Auth0 research found that 83% of consumers have abandoned their cart or sign-up attempt because the login process was too difficult. Consumers want to use digital services, but if the login process is clunky or frustrating, they will take their businesses elsewhere.
“Marketers are often apprehensive that cybersecurity will take away from user experience. Striking the right balance between convenience, security, and privacy, can be the difference between building trust and frankly telling your customers to go elsewhere.
‘Friction is really a spectrum depending on the risk of any given transaction. A consumer may not expect a massive amount of friction when they log into an online subscription account to read the news, and the risk associated with someone pretending to be the user in that context is also relatively low.
‘However, a customer changing his bank details in an app and finding a second layer of authentication missing is going to question the legitimacy of the bank’s security measures. Good friction is friction any user would expect, based on the risk that someone else is logging into the user account, unauthorised.’
Marr says technology is getting better at allowing Australian organisations to take a more extensible approach to security and user experience that maximises both - and notes that the same Auth0 research found that Australian organisations are twice as likely compared to their European counterparts to currently offer customers the ability to log in with the use of social logins, biometrics, and MFA.
“Adaptive technologies are designed to introduce friction only when necessary, without impacting the customer experience. If you log in from Australia and five minutes later from Singapore, use a password that was stolen in a recent data breach, or someone with a known bad IP address tries to access your account, Adaptive MFA would trigger an additional layer of security to verify your digital identity.
“Security best practices like Adaptive MFA and Breached Password Detection are examples of ‘good friction’. They interrupt the customer journey only when needed, and provide valuable reassurance that a business has a good handle on the security of their users’ accounts.
“Organisations that prioritise data privacy end up with a stronger infrastructure and the ability to market themselves to consumers as more secure. Companies seeking to comply with increasing data privacy laws without compromising on a great user experience need to combine passwords with additional factors presented only when needed (i.e. adaptive), to avoid introducing more friction to users,” Marr concluded.