SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Rising cybersecurity threats prompt shift from traditional password methods
Mon, 27th Nov 2023

With an estimated damage of US$10.5 trillion annually from cyberattacks projected by 2025, a significant surge from 2015 levels, the demand for stronger cybersecurity methods has never been more pressing. According to Geoff Schomburgk, the Regional Vice President, Asia Pacific & Japan (APJ) at Yubico, a leading provider of phishing-resistant authentication hardware solutions, this escalating threat is prompting the need to steer away from traditional, insecure password mechanisms.

"Passwords, which are highly vulnerable to theft, continue to be a major security concern. Stolen digital identities not only enable cybercriminals to impersonate compromised users but also provide access to additional credentials and sensitive information, which incur considerable costs for everyone," claimed Schomburgk.

Current Multi-factor authentication (MFA) methods, such as SMS or mobile authentication, have shown to be susceptible to phishing attacks. Phishing-resistant MFA, specifically passkeys, are emerging as a more robust and efficient way to safeguard businesses and individuals.

As defined by Yubico, passkeys are FIDO (Fast Identity Online) credentials that allow users to authenticate their online account access to websites, without the need for a password. The FIDO2 standard simplifies user experience, offers a variety of ways to verify user identities, and deploys an external device such as a YubiKey that contains passkeys, advocating a transition away from passwords towards superior, user-friendly mediums.

In the wake of increasing cyber threats, Schomburgk emphasized that devices like desktop PCs, mobile phones, tablets and smart gadgets weren't initially designed with innate security, and safeguarding digital identities requires a collective effort from organizations and individuals to embrace evolving cybersecurity protections.

Drawing a parallel between different countries, Schomburgk highlighted how while Australia is not the same as the United States, where phishing resistant MFA sign-in methods have now been mandated for all federal agency staff, similar proactive cybersecurity measures are being rolled out. He referenced the Australian Signals Directorate's development of the 'Essential Eight', a baseline for Australian organisations designed to fortify systems against cybercriminal compromise.

As per the Australian Cyber Security Centre (ACSC) Annual Cyber Threat Report for 2022, 76,000 cybercrime reports were lodged for the 2021-22 financial year, denoting a 13% increment. Additionally, publicly disclosed software vulnerabilities (CVEs) increased by 25% globally and over $98 million in financial losses resulted from Business Email Compromise (BEC) attacks, with an average loss of $64,000 per report.

In terms of costs, the average cybercrime report cost escalated to over $39,000 for small businesses, $88,000 for medium businesses, and over $62,000 for large businesses, marking an average growth of 14%.

Affirming that the use of strong multi-factor authentication as recommended in the Essential Eight is a commendable initiative, Schomburgk cautioned that not all MFA is equally effective. He advocated for phishing-resistant hardware security keys that contain passkeys, attesting they offer the best form of cybersecurity authentication methods.

He further encouraged the implementation of other Essential Eight suggestions, including limiting user access rights to just what's needed for their role, routine data backup and recovery procedure tests, and timely software patching for high-risk vulnerabilities.

Such adaptations he reiterated, can not only aid organisations in mapping their cybersecurity maturity but also equip them to prepare more formidable risk management information for annual Environmental, Social, and Governance (ESG) reporting.

"Through our range of YubiKeys, Yubico is committed to making the internet safer for everyone. We encourage organisations to adopt these cybersecurity controls to prevent fraudsters from disrupting our digital lives and identities," Schomburgk stated in conclusion.