In recent months, intelligence experts and former government officials have warned that members of the British government have risked “Wild West” conditions when it comes to conducting national security affairs via personal devices and email accounts.
About the author
Niall McConachie, Regional Director (UK & Ireland) at Yubico (opens in a new tab)
Alarmingly, some of these unsecured communications have been hacked by foreign agents.
While the stakes are extremely high for government and public officials conducting sensitive business in this way, the same applies to all organizations, whether in the public or private sector. In fact, poor cyber hygiene and business-wide cyber security practices risk exposing businesses to data breaches and are significant gaps that need to be addressed by 2023.
The risk of leaving employees to fend for themselves
Data breaches are one of the most serious security issues we face today. Yet many organizations are not doing enough to protect their employees’ data and educate them about cyber threats to combat them. In fact, our own research found that 54 percent of employees are not required to go through cybersecurity training on a frequent basis, and nearly 57 percent of respondents admitted to using a work-issued device for personal use in the past 12 months. Also, a significant amount of workers report having broken or lost their devices, which are often used to authenticate company accounts.
Furthermore, the majority of employees still rely on the most basic forms of authentication as their primary method of authenticating to their accounts, which have proven ineffective against today’s most common credential theft tactics. For example, passwords are vulnerable to fraud such as phishing, password spraying and man in the middle (MitM) attacks, making them the least effective method of securing online data. As a result, we are seeing an increasing number of organizations (and individuals) moving towards passwordless authentication, where accounts are secured using alternative methods to the traditional username and password combination.
Achieve phishing-resistant authentication
In an era of hybrid and remote work, it is critical to offer phishing-resistant multi- or two-factor authentication (MFA/2FA) access to business applications across corporate-issued and personal devices. Adopting MFA/2FA solutions requires a user to present two or more forms of identity verification as an additional layer of security to allow user access. However, not all forms of MFA/2FA are created equal. For example, one-time passwords (OTPs) sent via SMS and mobile authentication apps are the most popular form of 2FA. And while any form of 2FA is better than nothing, these methods are vulnerable to phishing, MitM attacks, SIM swapping, and account takeovers. On the usability side, entering an OTP may seem relatively easy, but multiply that by the number of logins and apps used every day, and the friction soon increases. In addition, it also relies on the user’s device being charged, having a signal at a certain moment – and of course, that it hasn’t been misplaced or broken in the first place!
Organizations need to implement more modern and robust forms of authentication – which also provide a better user experience – by considering moving towards passwordless and adopting strong 2FA/MFA. For example, FIDO2 is an open authentication standard hosted by the FIDO Alliance, which offers expanded modern authentication options including strong single-factor (passwordless), strong two-factor and multi-factor authentication. FIDO2 reflects the latest set of digital authentication standards and is a key element in solving problems surrounding traditional authentication and eliminating the global use of passwords. It allows users to easily authenticate via devices with built-in security tools – such as fingerprint readers, smartphone cameras or hardware-based security keys – to access their digital information. These modern solutions have proven to be the most effective enterprise-wide cybersecurity options that are both user-friendly and bridge the gap between internal and external user authentication. In fact, FIDO2 security keys are considered the gold standard for phishing-resistant authentication and are mandated by standards bodies and the US government.
The importance of education and communication
Today’s workers increasingly recognize the need for better cybersecurity practices and training to ensure they can identify fraud and mitigate certain attacks for themselves. Failing to educate employees about cybersecurity leaves them unprepared when it comes to knowing cyber hygiene best practices and how to deal with threats if they are encountered. Therefore, in addition to implementing more robust, phishing-resistant authentication, UK organizations must also enforce up-to-date and ongoing cyber training for all employees to successfully reduce the rise of data breaches and other cyber-attacks. When communicating security changes with employees, it’s also important to explain the ease of use of new authentication methods and other processes, and outline the benefits in terms of ease of use as well as improved security.
Only with thorough training, planning and implementation of effective cyber security, along with modern authentication solutions, can organizations ensure they protect themselves against today’s increasingly sophisticated cyber threats.
