undefined

 

By Niall McConachie, regional director (UK & Ireland) at Yubico

Data breaches can wreak absolute havoc on organisations and are one of the most serious security problems faced today. Not only can they cause severe financial damage, but they can also cause significant reputational damage that undermines consumer trust. Over the last year, many high-profile organisations have experienced cyberattacks that have compromised their employees’ personal and financial information, with some fined as a result of failing to prevent the attacks.

As the cyberthreat landscape continues to evolve and become more complex, organisations need to step up when it comes to the security measures they invest in, as well as the training they provide their workforce.

Outdated authentication methods

Despite organisations making huge progress when it comes to digital transformations (DX) over the last few years, many have neglected to strengthen their cybersecurity practices as part of their DX strategies. Instead, they are using outdated technology and procedures that aren’t in keeping with modern demands and threats.

Indeed, in a recent Yubico survey on global enterprise authentication trends, more than half (53 percent) of respondents admitted to relying on username and passwords as their primary method to authenticate into business accounts. Less than a quarter (23 percent) believed this method to be the most secure way to log in.

Overall, the findings from the survey showed that respondents didn’t appear fully confident in their organisation’s authentication methods, with less than a quarter (24 percent) of employees surveyed feeling the authentication options that their organisation offers are extremely secure, and only half (53 percent) thinking they are secure enough.

When it came to discussing alternative authentication methods, almost half (49 percent) of UK employees surveyed agree that their organisation needs to upgrade to modern phishing-resistant MFA (like a hardware key). Indeed, most employees (87 percent) surveyed who use a hardware security key to authenticate their business accounts felt the authentication options that their organisation offers provide enough security.

Reacting to cyberattacks

Among UK employees who had been exposed to a cyberattack at work in the last 12 months, almost a third (28 percent) said their organisation responded to the attack by resetting their password and username. When it came to other measures implemented following the attack, respondents said organisations implemented updated or patched hardware (16 percent), a password manager (13 percent) or updated endpoint protection such as anti-virus, Data Leak Prevention software, APT monitoring, or Windows Hello (20 percent). Less than a quarter (23 percent) of respondents were required to attend cybersecurity training following the attack.

This data reveals that organisations aren’t learning from the vulnerabilities that have been exposed and aren’t ensuring they tighten or upgrade security measures to protect their employees and the organisation’s critical infrastructure.

To combat data breaches, organisations need to implement more modern and robust forms of cybersecurity than simply resetting passwords and implementing other ‘band-aid’ solutions. They should consider alternative user authentication measures like phishing-resistant passwordless, strong two-factor and multi-factor authentication (2FA/MFA). These modern solutions have been proven to be the most effective organisation-wide cybersecurity options that bridge the gap between internal and external user authentication whilst still being user friendly. In fact, FIDO2 security keys like the YubiKey, for example, are viewed as the gold standard for phishing-resistant authentication and are mandated by standards bodies and leverage modern authentication protocols which are phishing resistant to modern day cyberattacks.

Training and cyber hygiene

The findings also showed that it’s not only the cybersecurity methods themselves that aren’t instilling confidence in employees, but also education about cyberthreats. 42 percent of employees in the UK are not required to attend frequent cybersecurity training and approximately a quarter (24 percent) say this rarely or never happens. Meanwhile, only a third (33 percent) of employees say organisation leaders frequently share security trends or education around what is happening in the industry to its employees, while almost a third (28 percent) say this rarely or never happens.

Failing to educate employees about cybersecurity leaves them unprepared when it comes to knowing best practice cyber hygiene and how to deal with threats if they’re exposed to them. With the cyberthreat landscape constantly evolving, it’s vital that organisations are aware of new risks and that they communicate this with staff.

Given that so few UK organisations are appropriately educating their workforce about cybersecurity, it’s little surprise that so many respondents admitted to bad cyber hygiene habits in the last 12 months. These included using a work-issued device for personal use (49 percent), allowing someone else to use their work-issued device (33 percent), ignoring a software update for over a week (57 percent), not reporting a phishing attempt (31 percent) and either writing down or sharing a password (47 percent). 

These habits can pose significant security risks to organisations, which can lead to a loss of money, draining of IT resources, and a damaged brand. Businesses should prioritise educating their teams on cybersecurity best practices to ensure all employees are aware of the risks and can avoid them.

Cybersecurity priorities

Overall, these findings show that organisations aren’t currently providing the cybersecurity measures and training required to identify scams and prevent attacks. To make meaningful progress towards stopping the increasing level of cyberattacks, organisations need to upgrade to more robust forms of authentication like security keys. They must also enforce cyber training to all staff that is up to date with the current threat landscape to successfully mitigate the rise of data breaches and other cyberattacks.

Only with thorough planning, training, and implementing effective cybersecurity procedures, along with modern and robust authentication solutions, will organisations stand a better chance of protecting themselves from powerful and emerging cyberthreats.