In recent months, intelligence experts and former government officials have warned that members of the UK government have risked “wild west” conditions when it comes to conducting matters of national security via personal devices and email accounts.
About the author
Niall McConachie, regional director (UK & Ireland) at Yubico (opens in new tab)
Alarmingly, some of these unsecured communications have reportedly been hacked by overseas agents.
While the stakes are extremely high for government and public officials conducting sensitive business in this way, the same is also true for all organisations, whether in the public or private sector. Indeed, poor cyber-hygiene and business-wide cybersecurity practices risk exposing businesses to data breaches and are significant gaps that must be addressed in 2023.
The risks of leaving employees to their own devices
Data breaches are one of the most serious security problems faced today. Yet many organisations are not doing enough to protect their employees’ data and educate them on cyber threats in order to combat them. In fact, our own research has found that 54 per cent of employees are not required to go through cybersecurity training on a frequent basis and nearly 57 per cent of respondents admitted to using a work-issued device for personal use over the last 12 months. What’s more, a significant amount of workers report having broken or lost their devices, which are commonly used to authenticate corporate business accounts.
Furthermore, the majority of employees still rely on the most basic forms of authentication as their primary method to authenticate into their accounts, which have been proven to be ineffective against today’s most common credential-stealing tactics. For example, passwords are prone to scams such as phishing, password spraying, and man in the middle (MitM) attacks, making them the least effective method of securing online data. As a result, we’re seeing increasing numbers of organisations (and individuals) moving towards passwordless authentication, whereby accounts are secured with alternative methods to the traditional username and password combination.
Achieving phishing-resistant authentication
In the era of hybrid and remote working, providing phishing-resistant multi- or two-factor authentication (MFA/2FA) access to business applications across corporate-issued and personal devices is paramount. Adopting MFA/2FA solutions require a user to present two or more forms of identity verification as an added layer of security to permit user access. However, not all forms of MFA/2FA are created equal. For example, one-time passcodes (OTPs) sent by SMS and mobile authenticator apps are the most popular form of 2FA. And while any form of 2FA is better than nothing, these methods are vulnerable to phishing, MitM attacks, SIM swapping and account takeovers. On the usability side, keying in an OTP may seem relatively easy, but multiply that by the number of logins and apps used each day, and friction soon stacks up. Added to which, it also relies on the user’s device being charged, having signal at a particular moment – and, of course, it not having been misplaced or broken in the first place!
Organisations must implement more modern and robust forms of authentication – which also deliver a better user experience – by considering moving towards passwordless and adopting strong 2FA/MFA. For example, FIDO2 is an open authentication standard hosted by the FIDO Alliance, which offers expanded modern authentication options including strong single factor (passwordless), strong two- factor, and multi-factor authentication. FIDO2 reflects the most recent set of digital authentication standards and is a key element in addressing issues surrounding traditional authentication and eliminating the global use of passwords. It allows users to easily authenticate via devices with built-in security tools – such as fingerprint readers, smartphone cameras, or hardware-based security keys – to access their digital information. These modern solutions have been proven to be the most effective business-wide cybersecurity options which are both user friendly and bridge the gap between internal and external user authentication. In fact, FIDO2 Security Keys are viewed as the gold standard for phishing-resistant authentication and are mandated by standards bodies and the US government.
The importance of education and communication
Today’s workers increasingly recognise the need for better cybersecurity practices and training to ensure they can identify scams and mitigate certain attacks for themselves. Failing to educate staff about cybersecurity leaves them unprepared when it comes to knowing best practice cyber hygiene and how to deal with threats if they encounter them. Therefore, in addition to implementing more robust, phishing-resistant authentication, UK organisations must also enforce up-to-date and ongoing cyber training to all staff in order to successfully mitigate the rise of data breaches and other cyber attacks. When communicating security changes with employees, it’s also important to explain the ease of use of any new authentication methods and other processes, outlining the benefits when it comes to usability as well as enhanced security.
Only with thorough training, planning, and implementing effective cybersecurity, along with modern authentication solutions, can organisations ensure they are protecting themselves against today’s increasingly sophisticated cyber threats.