The economics of digital identity

The problem is that there are far more of these ways today than there ever have been before—and that’s made the whole situation more challenging, not just in terms of managing digital id

Sponsored by

of digital identity

About this research 2

Contents

1 2 3 4 5 6

The economics of digital identity assesses the role

identity plays in the digital economy The report is written by The Economist Intelligence Unit (EIU) and sponsored by Oracle

The report is based on a survey of 201 IT executives from North America, which was conducted in February 2015 Respondents were drawn from a range of industries, including 18%

from manufacturing and 14% each from financial services and IT and technology Of these, 55%

represent companies with up to US$1bn in annual revenue, and 45% companies with US$1bn or more

The report also incorporates interviews with the following experts and advisers:

James Ryan, managing partner, Litmus LogicIra Winkler, president, Information Systems Security Association (ISSA) and Secure MentemChris Hankin, professor of computing science and director, Institute for Security Science and Technology at Imperial College LondonStephen Bonner, partner, KPMG

The EIU would like to thank these interviewees for their time and insight

The report was written by Jessica Twentyman and edited by Riva Richmond

Welcome to the digital economy, where whole industries are being fundamentally reshaped as organisations scramble to build new business models, tap new markets and create new sources of competitive advantage The dynamics of

digitisation that first emerged in industries such as music and video can now be seen everywhere—

from the labour market, where jobs are matched to freelance workers in real time, to the

manufacturing sector, where 3D designs can be shared across the world in an instant

By 2020, say analysts at US-based IT market research company Gartner, more than 7bn people worldwide will use over 35bn connected devices to communicate, collaborate, negotiate and perform transactions over web and mobile channels Vast legions already do so today—and for all of us, both

as consumers and employees, digital identity is our passport to this online world of goods and services

There will be winners and losers in this future of all-enveloping digital connectivity In the rush to open up new digital channels, businesses cannot afford to lose sight of the need to identify and engage with individuals using a huge range of mobile devices Understanding and managing digital identities is becoming critical because a single view of an individual customer is the key to knowing that person better and building a deeper relationship with him or her

“The opportunity here for businesses is vast It’s

as big as the Internet itself But the way that a vast majority of businesses think about digital identity is

outmoded, outdated They need to catch up,” says James Ryan, a consultant and co-founder of Litmus Logic, which advises large companies on their security strategies, as well as the brains behind several technical standards in digital identity

“The market opportunity here is precisely this huge because so many organisations are dealing with the digital-identity management challenge according to old ways of thinking It’s the organisations that can learn to look at digital identity in new ways that will be the winners.” But the risks are also immense, Mr Ryan acknowledges Those that handle digital-identity data badly could trample customers’ privacy concerns and potentially lose their loyalty Those that get it really wrong could leave digital-identity data vulnerable to theft Personal data, after all, are

as valuable to cybercriminals as they are to business

“There have always been ways of verifying people’s identity online The problem is that there are far more of these ways today than there ever have been before—and that’s made the whole situation more challenging, not just in terms of managing digital identities but protecting them from hackers,” says Ira Winkler, best-selling author and president of the Information Systems Security Association (ISSA) and Secure Mentem, a security consultancy

The message is clear: companies must have a well-considered approach to the use and protection of these data in an age in which earning customers’ trust—and not letting them down—is essential to future prosperity

Risk and reward: Mastering identity in the digital economy

1

According to a new survey of 201 senior executives

in North American companies, conducted by The Economist Intelligence Unit and sponsored by Oracle, the race to digital is well under way

Almost two-thirds (64%) say digital channels are highly important to their company’s revenue—

“mission critical” for 27% and “very important” for 37% The strategic importance of digital will only rise over time: In 2-3 years’ time digital platforms will be highly important at 71% of the

organisations surveyed

The challenge of managing digital identities is not new to businesses Trusted identity information helped spearhead massive business and economic transformation and growth during this young century E-commerce blossomed, for example, as online shoppers became increasingly confident about sharing their credit-card details online But

it was not until around 2008 that digital identity began to receive the widespread attention it now commands, says Chris Hankin, professor of computing science and director of the Institute for Security Science and Technology at Imperial College London

“In a sense, this issue has been a bit of a slow burner, but thanks to hyperconnectivity, it’s now something that every organisation needs to deal with,” he says

Professor Hankin identifies 2008 as a tipping point for two reasons: it was the year when smartphones started to be manufactured in large volumes (Apple’s second-generation 3G iPhone was launched that year, quickly followed by wave after wave of competing devices) and that social networking site Facebook started to see adoption rates skyrocket

The rise of the digital economy

2

Source: Economist Intelligence Unit survey.

How important are digital platforms, such as the web, mobile, social media and Internet of Things, to your company’s revenue now? And how important will they be in three years’ time?

(% respondents)

Chart 1. Digital channels will be “mission critical” to over one-third of companies in three years’ time

Now Three years’ time

Mission-critical, our primary revenue channel(s) are digital leadership Very important, digital channels are very important, but not central, to our business Moderately important, we use digital channels but they are not very important to our business Minimally important, we use digital channels but they are not important to our business Not at all important; digital channels are not at all important or not used by our business

27 38 37 35 22

17 11

6 3 3

“As time went on, we started to see questions raised about what data are being collected about us—and by whom—and a wider discussion began around some of the challenges that we’ll face as a society as a result,” he says “By around 2011 or

2012 it had become clear that, if collecting digital information about people’s identity could provide considerable commercial opportunities to businesses, it might also be a point of concern for the individuals concerned.”

Today, far richer digital-identity information looks set to drive new opportunities and news ways

of working Power is shifting dramatically in the direction of the “owners” of that information and

opening the door to further disruptive democratisation of markets, as younger, more agile upstarts, such as on-demand transport company Uber and peer-to-peer loans provider Lending Club snatch business from older, more established companies

The overwhelming majority of respondents to the EIU survey are already engaged in external business activities that require them to manage digital identities, including online commerce (68%), social media (55%) and mobile commerce (44%) But as Professor Hankin points out, they are also increasingly aware of the responsibilities that data stewardship entails

The EIU survey shows that companies are well aware of the responsibilities of holding digital identities and are taking them seriously When asked to identify their company’s top three digital-identity challenges, security is cited by almost three-quarters (72%) of respondents, followed by privacy (44%) and managing legal or regulatory requirements (36%)

According to Mr Winkler of the ISSA, many companies could be doing much more to prevent costly security breaches He is a great advocate of security awareness training for both employees and customers as a useful, inexpensive first step, especially to promote secure password practices

For now, executives seem confident about their companies’ abilities to handle digital identities

When it comes to managing the risks related to identity—chiefly security, privacy and fraud—60%

of respondents rate their abilities as

“substantially” or “somewhat” ahead of their peers Likewise, 50% believe they are ahead of their peers in collecting and managing digital-identity data, while 47% believe themselves to be leaders in using digital identity to cut costs

But they should be wary of an “optimism bias”, says Mr Ryan of Litmus Logic “Everyone thinks their chances of experiencing problems in these areas are pretty [low], until a serious issue demonstrates that they were, frankly, wrong about that.”

Confidence levels are less high when it comes to the use of digital identity for other purposes Only

43% of respondents consider their organisations to

be above average in using digital identities to enter new markets, while 17% consider themselves below average Similarly, in terms of monetising the personal data they hold, only 39% rate themselves as leaders, while 19% believe they lag behind (see chart 2)

When asked how prepared they are to address information security requirements involved in storing and using digital identities, only 19% say their organisations are “very well prepared” Of the remainder, 48% are “somewhat” well prepared, and 26% are only “moderately” prepared

There will be many more challenges ahead as organisations seek to build secure experiences for millions of customers who move continuously between new digital channels and platforms As the Internet of Things (IoT) takes flight, whole networks of smart products—from smart lawnmowers to heart monitors to intelligent utility meters—will start exchanging data, reporting on their status and receiving instructions remotely

At the same time, these smart products will also give manufacturers and retailers a direct line of insight into people, says Stephen Bonner, a partner in information security at management consultancy KPMG and former global head of information risk management at financial services company Barclays

“Most of the focus today is on individuals and their personal data, but increasingly digital identity will need to be closely tied to their use and

Hurdles in the race to digital

3

ownership of smart products,” he says.

By 2020, analysts at IT research firm Gartner reckon, there will be around 26bn devices installed worldwide that are capable of these kinds of machine-to-machine (M2M) communications The EIU survey, meanwhile, shows that 31% of respondents say they are already engaged in IoT activities requiring identity data, and a further 53% say they will be in the next three years

But how safe will these data be? In February

2015 electronics giant Samsung caused a stir when

it issued a warning to customers against discussing personal information in front of their smart televisions When its voice-activation feature is switched on, a Samsung Smart TV can listen to what

is said and may share what it hears with Samsung

or third parties, the company said.1

Source: Economist Intelligence Unit survey.

Collecting and managing digital-identity data Cutting costs by using digital identity Managing risks related to identity (eg, security, privacy, fraud) Monetising personal data

Using digital identity to enter new markets

Compared to your peers, rate your company’s level of digital-identity success.

(% respondents)

Substantially above average Somewhat above average Average/On par with peers Somewhat below average Substantially below average

Chart 2. Respondents are most confident in their ability to manage identity risks

1 Samsung Global Privacy

Policy – SmartTV supplement,

Samsung, February 2015.

There is clearly much work still to be done After all, the ways in which companies can fruitfully use digital-identity data are more complex than older identity credentials such as credit and debit cards, which primarily enable financial transactions and tracking Identity data will dictate individual participation in a whole range of activities:

allowing homeowners to set the temperature on their smart-home thermostat remotely; enabling

an automotive designer to view plans for next year’s top-secret, high-profile vehicle launch; and giving an energy company engineer access to control systems in a nuclear power plant

Given the new opportunities and risks, it is no surprise that interest abounds in improving digital-identity sophistication Indeed, executives anticipate a rise in activities—often complex ones—that will require them to up their game In the future, manufacturers might sell customers the right to 3D-print physical designs Instead of just shipping a product, the seller must now manage usage rights, entitlements, subscriptions and intellectual capital protection This is an altogether different and more complex set of capabilities than making and shipping physical objects

Right now, levels of confidence tend to be higher when it comes to using digital identity in internal processes The majority of survey respondents (55%) say they are using identity data for research and development (R&D), with a further 26% planning to do so within one year Meanwhile, 54% are using them for process automation (to

speed up transactions requiring identity data, for example), with a further 31% preparing to do so in the next year Fifty-three percent use digital identities for employee information-sharing or collaboration and 50% to improve products or services, while a further 27% and 29%, respectively, plan to do so in the next year When it comes to product and service personalisation, 44% use digital identities today, and a further 32% will do so in the next year Exactly the same proportions use, or plan to use, digital identities to deliver customer self-service capabilities (see chart 3)

But strikingly, the question of using third-party digital-identity data provokes a mixed response Many in the industry point to an emerging model, where companies that already have an established track record and reputation in managing digital identities—banks, credit reference agencies and social media companies, for example—create a new business for themselves in offering to authenticate users for other providers of online services

“So, in order to log into my national tax authority and file my annual return, I might use my online-banking credentials,” explains KPMG’s Mr Bonner “It’s more convenient to me as a consumer It’s faster and more cost-efficient for the organisation—in this case, the tax authority—that needs to authenticate me And it recoups the money that my bank has already invested in identity management, as well as creating a new income stream for them We’re starting to see the

Preparing for a hyperconnected future

4

beginning of an ecosystem around this idea of digital identity as a brokered service.”

This concept of an “identity ecosystem” was at

the heart of a 2011 White House report, National

according to Professor Hankin at Imperial College London Private companies, the report notes, already use a variety of approaches to correctly identify customers, most often with usernames and passwords

“The complexity of this approach is a burden to individuals and it encourages behaviour—like the reuse of passwords—that makes online fraud and identity theft easier,” the report says “Online businesses are faced with ever-increasing costs for managing customer accounts, the consequences of online fraud and the loss of business that results from individuals’ unwillingness to create yet another account Moreover, both businesses and government are unable to offer many services online, because they cannot effectively identify the individuals with whom they interact.”

Whenever there’s a large-scale password breach, notes Mr Bonner, “you absolutely see an uptick in fraud at other organisations, because it invariably turns out that customers are using the same passwords across multiple services.”

The EIU survey shows that eight out of ten respondents say their organisations currently use

at least one type of third-party identity provider for customer and/or employee identification,

authorisation or validation, with the majority using several different sources Employee services providers are cited most often, with 61% of respondents saying their organisations use providers of this sort One-half use social media providers, while identity assurance providers are the least popular, cited by 44%

But far fewer executives say their organisations plan to use these third-party identity sources two years from now and, for those who continue to do

so, provider diversity looks set to drop considerably First, three in ten will not use any third-party identity providers in two years’ time, compared with two in ten today The projected decrease in the use of third-party identity sources

is particularly noticeable when it comes to social media and employee services companies, where the number of respondents who expect their companies to use these providers in the future drops by half

Furthermore, while most of the respondents today use more than one source, when asked about their expectations for the future, the vast majority select just one option, suggesting that many organisations crave a simpler, more coherent approach to identity

Source: Economist Intelligence Unit survey.

Process automation (eg, faster transactions that require identity) Customer self-service

Product or service personalisation Product or service improvements Research and development Employee information sharing or collaboration Partner or supplier information sharing or collaboration

What internal business activities requiring identity data are you engaged in now or will be in the future?

(% respondents)

Engaged in now Preparing to do

within 1 year Expect to do 2-3 years from now No plans to do

Chart 3. Research and development and process automation are business activities involving identity data that most respondents are engaged in today