Phishing is a growing risk and concern for businesses today. There are 383,278 spam, phishing and malware attacks on the BBC every day, according to recent data from think-tank Parliament Street. That is up by 35% compared to 2020 data. Phishing attacks are a serious threat that can lead to ransomware infection. 59% of organisations that fall victim to a phishing attack are infected with ransomware as a result. As these threats escalate, what, if anything, can organisations do to protect themselves?
Phishing is the number one attack vector for bad actors
Phishing is a social engineering attack. It attempts to steal user data such as login credentials and credit card numbers. Such schemes are becoming increasingly sophisticated. They can easily trick people into assuming it is a normal email or text from a trusted person or reputable business, such as their colleague or bank.
There are multiple ways for businesses to aid employees in decreasing risks. We often hear ‘don’t click on links’, ‘don’t open questionable attachments’, ‘perform regular software updates’, ‘do not share information on unknown websites’, ‘install firewalls’ and ‘rotate your passwords’. Another popular IT advice nowadays is to use authenticator apps. Nonetheless, these methods are not fool proof.
So, how outdated have these methods become?
Passwords are a 20th Century solution, not 21st
If you rely on passwords to protect yourself from hacks, you are increasing your risk. Passwords do little to secure an individual’s identity. This is because individuals use similar combinations over multiple sites and applications.
Passwords are also only one layer of protection for your sensitive information. As a result, major players in the tech world are going passwordless. They are setting up alternative secure methods for logging in. Further to that, the recent introduction of Strong Customer Authentication (SCA) will force businesses to increase the steps of identity confirmation for customers when making purchases online.
The cracks in mobile authenticators
Mobile app authenticators are a good entry-level two-factor authentication (2FA) solution. However, they rely on employees using a personal smartphone, another security risk. The alternative is the business spending hundreds of pounds on a phone for each employee. It is no wonder most SMEs have not yet integrated 2FA or multi-factor authentication (MFA) across the organisation.
Furthermore, there is a big rise in SIM-swap fraud. Between 2015 and 2020, cases increased by 400%. It means that hackers are cloning mobile phone numbers and assigning them to new SIM cards. It allows them to access online bank accounts, messages, calls and other sensitive data.
On top of all that, malware can find its way around authenticator apps as they are just software. Most of these apps use cryptographic keys to generate codes used for user identification. If a bad operator steals these keys, they can get the authority to authenticate transactions on a user’s behalf. And it is authenticator apps with one-time password (OTP) and SMS verification that are the most susceptible to such man-in-the-middle attacks.
So what other phishing solutions are there for businesses?
Enterprises have not universally adopted passwordless infrastructure. Meaning we cannot throw away all our passwords and mobile authenticators overnight. However, some institutions claim to have reduced, if not eliminated, phishing attacks. Google says it has put an end to phishing by requiring all employees to use U2F authentication and physical secure keys.
Indeed, by using a low-cost physical layer of security, protection from phishing can be very effective. It is a must for organisations, especially those that deal with extremely sensitive information. The secure keys and cards that follow the FIDO Alliance standards (members include Google, PayPal, VISA, Microsoft, Apple) prevent brute force and man-in-the-middle attacks.
This is because the user must present and tap a physical card or key during the authentication process. There is no software to beat. The unique crypto key within the key must be present., otherwise authentication fails. To complete the identification process, a user must present a PIN code. The user installs the code upon initial key activation.
What is more, FIDO-approved keys and cards can identify malicious websites. If a malicious website is visited by a user, they will not be asked for FIDO authentication. Any login information passed on to bad actors will not enable them to access their accounts via the real website. This is because they will not have the physical key required to authenticate.
It is tempting to just stick to passwords and mobile authenticators. However, that may cost you much more in the long run. When it comes to cybersecurity, it is vital to not put all your eggs in one basket. Having that additional layer of physical authentication can start eliminating phishing in your organisation. It may even eliminate it.
Open Seas is a UK-based enterprise IT solutions company specialising in cyber security and data protection. Open Seas acts as a bridge between customers and best-in-class IT suppliers providing optimum solutions to their customers’ IT needs.
Open Seas offers affordable white label Managed Detection and Response cyber security services for MSPs to offer MSSP services to all their customers, large or small, managing advanced threats. Meshing a team of experts with a powerful technology stack, network-based forensic technologies with experienced and skilled analysts, incident responders, and reverse engineers. All organisations are at risk from cyber-attack, Threat Actors’ attacks are constantly on the rise and aimed at every size of organisation. Using a combination of a sophisticated technology stack, designed to defend-in-depth with multiple layers of cybersecurity protection, together with AI technology built into a Security Information and Event Management (SIEM) system, Open Seas continuously monitors customers’ IT systems to thwart advanced threats.
In addition to its 24×7 cross-platform MDR service, the company provides Privileged Access Management and Zero Trust Network Access solutions, file synchronisation, replication, and backup products.
Open Seas is an official UK distributor for Neowave products including the Winkeo-C FIDO2 security key, Winkeo U2F and Badgeo smart cards.