By Niall McConachie, regional director (UK & Ireland) at Yubico
Organisations today are facing an increasingly complex cyberthreat landscape, with some of the world’s most sophisticated and respected companies undergoing damaging attacks. To overcome emerging threats, having some cybersecurity tools – like multi-factor authentication (MFA) – in place is of course better than having none whatsoever. However, businesses that are heavily reliant on the use of outdated legacy authentication methods, like one-time passwords (OTPs), are more susceptible to a wider range of cybersecurity risks. This includes data breaches – one of the most serious and fundamental security problems faced today.
As the cyberthreat landscape continues to expand and evolve, it’s critical for corporations to consider more modern, yet effective, phishing-resistant cybersecurity strategies available. While legacy methods are more familiar and commonly used, there are alternative solutions which are especially effective at stopping sophisticated cyberattacks while also protecting individuals’ identities and private data.
Prioritising personal and professional data security
Organisations compromised by cyberattacks – such as a data breach – can face devastating consequences such as substantial financial, legal, and reputational costs. Findings from Yubico’s recentGlobal Enterprise Authentication surveyshow that following a data breach, 15 percent of companies experienced severe profit losses, another 15 percent had suffered significant reputational damages, and 20 percent were forced to temporarily suspend business operations. These incidents can affect customers and employees too, as critical data also consists of both personal and professional information.
To successfully carry out their attack, all attackers need is an entry point into a target’s system, which can come from anyone at any level. Therefore, to prevent their most sensitive information from being leaked, stolen, or extorted, it is vital for organisations to provide effective cybersecurity to all their employees. As global rates of cyberattacks targeting corporate login credentials are on the rise, this only emphasises the need for all corporations, not just global, to make cybersecurity a top priority.
Eliminating ‘band aid’ cybersecurity solutions
Reports state that both phishing and credential-stealing tactics were among the top five most prolific cyberattacks deployed in 2021. Nevertheless, many businesses – including international enterprises – still fail to follow current cybersecurity best practices and continue to use legacy authentication methods. Yubico’s findings show that 59 percent of organisations are still using usernames and passwords as their primary method of authenticating their corporate accounts.
Some businesses have implemented other common verification methods as their primary form of business-wide authentication. The survey revealed that 29 percent of businesses currently use OTPs or two-factor authentication (2FA), 33 percent use SMS and mobile verification apps, and 30 percent use password managers. However, like with passwords, these measures can easily be compromised by cyberattacks including man-in-the-middle (MitM) attacks, account takeovers, SIM swapping, password spraying, and phishing.
Rather than implementing more effective authentication solutions, companies often look to shore up existing – yet ultimately ineffective – cyber defences. For example, by increasing password length, enforcing regular mandatory resetting of passwords, implementing requirements around character combinations, and using technology to compare passwords against known breached passwords. These approaches are fundamentally flawed and continue to delay the introduction of effective phishing-resistant MFA.
Cybersecurity efforts should not be seen as a temporary fix or a non-critical business expense but prioritised as an ongoing and permanent necessity as part of organisations’ ongoing digital transformation strategies. To make meaningful steps towards stopping the rate of cyberattacks, organisations must stop trying to fix ineffective security solutions and consider them as vulnerabilities instead.
Passwordless authentication and cyber training
To match or surpass the level of sophistication as seen by modern cyberattacks, businesses of all sizes need more advanced and secure methods of digital authentication. Many organisations are opting for passwordless authentication, whereby alternative methods are used to secure online accounts. Those looking to steer their cybersecurity in this way should strongly consider adopting robust MFA solutions, like security keys, to integrate into their overall cybersecurity plan.
Legacy MFA has not worked against modern cyber threats due to inability to stop phishing and other account takeovers. Only solutions based on smart cards, personal identity verification (PIV) or FIDO protocols, such as security keys, are truly phishing resistant. These solutions require each party to provide evidence of their identity, but also to communicate their intention to initiate through deliberate action.
Findings from our research show that 61 percent of employees and 79 percent of VP-level staff see the value in MFA and believe their organisations should implement it, while 20 percent claim to already use MFA-like, hardware-based security keys as their primary method of digital authentication.
However, in order to ensure the success of a new solution – including MFA – full participation by all staff is needed. Therefore, it is important for corporations to provide frequent and up-to-date cybersecurity training. Of those surveyed, 54 percent of respondents stated they are not required to attend regular cybersecurity training and another 54 percent admit to writing down or sharing their passwords. When it came to discussing cyber hygiene practices, 61 percent of employees surveyed have needed to reset their accounts because of lost or forgotten login credentials, 39 per cent of employees have broken their mobile phones – which organisations commonly use to authenticate corporate accounts – and 29 percent have lost their mobile phones within the last two years.
These lack of basic cyber hygiene practices, paired with non-user-friendly and legacy authentication methods, can put organisations at great risk of a significant cyberattack, such as data breaches or ransomware attacks. As passwords have been the primary form of authentication for so long, thorough education, encouragement to follow current best practices, and new security policies are a must. Without proper training, users are vulnerable and may unknowingly allow malware into their organisation’s IT infrastructure by – for example – opening suspicious emails. Therefore, it is vital to teach staff how to avoid phishing scams and malicious content, follow current best practices, adopt, and implement the latest phishing-resistant MFA tools, and learn new authentication processes.