Niall McConachie, Regional Director (UK & Ireland) at Yubico, outlines the steps that must be taken to ensure that UK organisations are protected from cyber attacks.
Cyber attacks are a growing problem for organisations and their employees, which is only expected to increase over time as cyber criminals’ tactics continue to evolve.
Ransomware, man-in-the-middle (MitM) attacks, password spraying, SIM swapping, and phishing are just some of the modern-day cyber attack methods that can result in costly damages to UK businesses, their customers, and employees.
The growing success rate of these attacks is partially due to outdated authentication methods and poor cyber hygiene practices used by organisations.
As these ubiquitous methods and practices have proven to be ineffective, UK organisations must reconsider how to better protect themselves from increasingly sophisticated and prevalent cyber threats.
The weakness of conventional authentication methods
Having some form of cybersecurity is better than none at all. However, companies continuing to use more basic forms of security increase the risk of being attacked, as some cyber attacks are capable of compromising login credentials such as passwords and PINs, for example.
In fact, according to Yubico’s State of Global Enterprise Authentication survey, more than half of UK organisations are relying on outdated authentication methods, including the use of usernames and passwords (53%), mobile SMS authentication (24%), and mobile apps and one-time passwords (OTPs) (19%).
Concerningly, as reported by the survey, these widespread authentication methods are being used with the mistaken belief that they are the most secure ways to sign into both professional and personal accounts. This is understandable, given organisations, employees, and customers are often encouraged to use passwords and mobile OTPs or push authenticator apps.
However, these methods have been proven to be susceptible to common cyber attacks such as ransomware, phishing, MitM attacks, password spraying, and SIM swapping. What’s more, when it comes to mobile-based methods, such as SMS verification, OTPs, and digital authentication apps, not only can mobile devices be stolen, lost, or broken, but also security restrictions, reduced mobile network service, and low battery power are all factors which can limit a user’s ability to authenticate via a mobile device.
All of the aforementioned forms of cyber attacks and many others can evade traditional credential-based authentication methods and can lead to a devastating data breach.
As a result, targeted organisations, their customers, and employees can face major consequences such as financial, reputational, and even legal implications.
Poor cyber hygiene practices leave everyone at risk
It is important to note that cyber attacks are not just limited to organisations, but can directly impact customers and employees as well.
In the 12 months prior to the survey, 48% of UK participants experienced a cyber attack whilst at their place of work and 73% experienced an attack in their personal life. Therefore, businesses must evaluate how they can step in and help their users defend corporate networks against these risks.
How strongly employees value cybersecurity at work largely depends on how seriously the issue is taken by the organisations they work for. According to the survey findings, UK businesses consistently ranked lowly compared to other countries in taking business-wide cybersecurity seriously and educating their employees, with just 42% of respondents stating they are required to participate in frequent cyber training.
For example, 47% of UK survey respondents confessed to writing or sharing their passwords within the last 12 months, despite citing that having their login credentials stolen is a top cybersecurity concern. UK respondents also admitted to using a personal device for work (58%), allowing someone else to use a work-issued device (33%), and having an account reset due to lost or forgotten credentials (58%).
The most effective alternatives to passwords
These findings only emphasise the need for UK organisations to both improve their overall cybersecurity standards and better educate their employees on how to adequately protect themselves online, beyond using passwords.
To achieve these goals, UK corporations should consider more modern, robust, and user-friendly forms of multi-factor authentication (MFA) and two-factor authentication (2FA).
However, it is worth noting that there are different types of MFA and 2FA requiring either passwords or PINs, mobile or hardware-based devices or biometric identifiers, and so some methods are more secure than others.
Overall, strong MFA authentication solutions – such as hardware security keys or identity credentials unique to a specific user, such as fingerprints – remove the reliance on passwords or mobile devices and allow users to seamlessly access their digital accounts by presenting phishing-resistant authentication.
Security keys aligned with FIDO2 protocols – internationally recognised standards of public key cryptography practices to deliver strong authentication – are the best passwordless and phishing-resistant solutions for business-wide cybersecurity. Such solutions can also be used for both personal and professional accounts.
These methods also offer robust authentication which can be used with various digital devices, services, and accounts, reducing the number of times a user would need to log in.
However, and most importantly, organisations that adopt phishing-resistant, passwordless solutions can benefit from an enhanced security posture across the business and significantly reduce the risk of a cyber attack.
Ultimately, business-wide cybersecurity and the tactics needed to thwart emerging attacks should be a top priority for every organisation.
However, there is a significant disparity between the risks of cyber attacks and the attitudes displayed by UK organisations toward preventing them.
Employees at all levels can either be the biggest strength or weakness in their employers’ cybersecurity efforts.
Therefore, British companies must be more proactive in enforcing current cybersecurity practices and must provide robust passwordless security to protect their workforce and their critical infrastructure.
