|
Authentication is at the root of almost every type of cyberattack there is, but many of us remain blissfully overconfident about how our secure our credentials are under the protection of an email address and password1234.
This week the government's latest cyber security breaches survey found that only 40% of businesses (35% of charities) have any two-factor authentication (2FA) in place to protect networks and applications with more than just a password.
This figure seems shockingly low, and is especially galling when viewed in combination with some other stats. Four in UK ten businesses and 30% of charities experienced a cyberattack in the last 12 months. Just 36% of people use password managers (US figures, but presumably also reflective of the UK), implying password re-use on an epic scale. Of course, firms may force some kind of password rotation on accounts, and some may store strong passwords in a browser, but still. Only one-fifth of companies provide cyber training the government says, and 69% lack any form of cyber incident response plan, according to Orange Cyberdefense.
Which suggests that despite decades of warnings, advice, regulations, headlines, fines and scandals, the cyberthreat in general and authentication in particular is still not being taken sufficiently seriously, at least among SMEs. The overused meme of the dog in the burning house comes to mind. Fortunately multi-factor authentication (MFA) and cyber training are almost ubiquitous in large businesses.
Phishing - and why we still fall for it - is the subject of my keynote talk at Computing's Cybersecurity Festival next month (quick plug: it's on May 1st in London). Researching the topic has really opened my eyes to the fact that, in the absence of basic authentication checks, breaking into an organisation is embarrassingly easy. Any fool who can pay a phishing-as-a-service outfit can do it, no skills required, at very reasonable prices and with optional customer support. For the gangs this is their bread and butter. They have the tools the knowhow and the motivation. Over time they have become very good at working the interface between psychology and technology, which is why cybercrime is the world's third largest economy.
Not all MFA is equal, indeed some has been shown to pretty flimsy, but any MFA is better than no MFA at all. Microsoft, Google and others build MFA options into their OSs and platforms, there are hardware keys, biometrics and authenticator apps - so why aren't they more widely used? In the main, no doubt, it's just another of those things that drops down the agenda. Extra support hassle for the overworked IT team, unwelcome friction for users, no buy-in from management - and anyway why would anyone bother targeting us?
Why wouldn't anyone bother might be a better question.
Recommended reads
Phishing is the most common first step in the chain that ends in a ransomware bomb exploding on the network. Penny Horwood has been taking a look at the evolution of the cyber gangs that are responsible for many of these attacks and at how they organise themselves into well-ordered professional units.
Computing 's Cybersecurity Festival returns to London in May, where senior IT decision makers can learn about modern challenges, compare strategies with peers, and source solutions. Click here to register for free.
|
