SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Phishing-resistant authentication a key to breach prevention
Tue, 8th Aug 2023

Findings from Yubico's State of Global Enterprise Authentication Survey found that over half of ANZ employees rely on insecure authentication methods.

Yubico recorded that 65% of employees in Australia and 63% in New Zealand still rely on usernames and passwords as a primary means of authentication, surpassing the global average of 59%. 

22% of all respondents believed that basic login credentials were the most secure form of authentication, despite widespread awareness campaigns and corporate training highlighting password insecurity.

According to Yubico, the provider of hardware authentication security keys, equipping employees with phishing-resistant authentication methods is essential in safeguarding digital identities and breach prevention.

Geoff Schomburgk, Regional Vice President of Asia Pacific and Japan, Yubico, says data breaches tend to occur when people reuse passwords, use easily guessed passwords, share credentials, or mistakenly click on malicious links.

"The least secure forms of authentication are still the most common. Unfortunately, Australia and New Zealand lag behind the world as the decades-old password authentication method remains dominant," says Schomburgk. 

Authentication methods include SMS-based one-time passcodes (OTPs), authenticator apps and other multi-factor authentication (MFA) forms. However, Yubico says many of these legacy MFA methods are highly vulnerable to being compromised by phishing and ransomware attacks.

The State of Global Enterprise Authentication Survey reported that a fifth of respondents in New Zealand and more than a quarter of respondents in Australia trusted mobile SMS-based authentication, which is widely seen as the most insecure form of MFA because of the high phishing risk.

"One-time passcodes or mobile authenticator applications used as a primary source of authentication are better than username/password alone but are not enough to protect digital identities against a breach," says Schomburgk.  

"Whilst enterprise MFA adoption in Australia and New Zealand still has a long way to go, it is not impossible to achieve with the help of modern, phishing-resistant MFA solutions available today." 

The Yubico survey found employees in Australia and New Zealand were among the least likely to use hardware keys to authenticate their business accounts, at just 15% and 13%.

The Office of the Australian Information Commissioner (OAIC) Notifiable Data Breaches Report: July to December 2022 revealed 497 notifiable data breaches reported between July and December 2022, a 26% increase on the first half of the year. 

Notably, 350 breaches were attributed to malicious or criminal attacks, marking a 41% rise from the previous half, while 123 notifications were related to human error breaches.

"Attackers don't hack in, they login. The recent Optus, Medibank, and Latitude Financial cyber attacks have all helped raise the awareness and importance and value of our digital identity and how easily it can be compromised," adds Schomburgk.  

Phishing attacks that get the victim to either reveal sensitive information or download malware are one of the more common tactics cybercriminals use, and the tools they are using are becoming more sophisticated. 

Yubico says that trusting employees to use common sense or be extra vigilant is a great start to reducing breaches, but it is not enough to prevent attacks.

"Our mission at Yubico is to make the internet safer for everyone, and the shortcut to strong, reliable cybersecurity lies in adopting phishing-resistant MFA," concludes Schomburgk.