Insight: Sharing cybersecurity successes and failures leads to improvement – Andrew Shikiar, executive director and CMO at the FIDO Alliance, explains why a culture of secrecy surrounding cybersecurity is holding back progress
If your organisation were hit by a cyber attack, would you tell anyone?
Historically, the answer would be an unequivocal no. Many believe that sharing that you were a target exposes your company’s (or your personal) vulnerabilities, making you more susceptible to further attack or ridicule. But this ‘security by obscurity’ mindset is not only outdated, it hinders the industry’s ability to harden our collective defences, most notably by eliminating our dependence on passwords and other knowledge-based credentials.
While this year saw a 5%-7% drop globally in the use of passwords for entry, it is still by far the most popular online authentication method, which is a big problem. Passwords are not only highly insecure, but they also cause major consumer headaches and are costing businesses; 59% of consumers gave up on accessing an online service and 43% abandoned a purchase when asked for a password in the past month. More than 82% of data breaches are caused by weak or stolen login credentials.
The benefits of multi-factor authentication (MFA) are widely reported but many firms have been sheepish about sharing their adoption figures.
This may be because the figures weren’t great. Twitter revealed its two-factor-authentication adoption figures last summer, revealing that just 2.3% of accounts had it enabled. Of those, 80% relied on SMS-based backup, the least secure mode. Communicating this doesn’t make Twitter any less secure. Instead, it sets a powerful benchmark for improvement, and gives the industry a reality check that considerable work remains to get more customers using MFA.
Other organisations to be applauded are Cloudflare and Twilio. The two cloud computing giants recently reported that they were targeted by a near-exact phishing attack. Employees were targeted with a text message from a supposed IT department, directing them to a fake website requesting a password change. Neither Twilio nor Cloudflare’s monitoring systems detected the attack, and, as you’d expect, some employees were caught off-guard and shared credentials.
While Twilio fell victim to the attack (along with dozens of other companies), Cloudflare’s employees were protected because they use Fast ID Online (FIDO) security keys which are tied to users. Origin binding also prevented any credentials from being shared. Since the incident, Twilio has followed Cloudflare’s lead, as it shared in its updated incident report. This is a great example of how sharing successes and failures alike leads to two on the whole.
At the FIDO Alliance, we’re working with the world’s leading tech companies and consumer service providers to solve this challenge. Together, we’ve created technology that’s increasingly cited as a ‘gold standard’ by governments, including the US’s cybersecurity body, CISA, and the UK’s National Cyber Security Centre.
To best defend against cyber attacks, organisations should take inspiration from the Twilio and Cloudflare story and build in security protocols that are phishing-resistant. These protocols are often implemented with USB keys or built-in biometric authentication on devices, and can be added as a critical layer of security to both an organisation’s own network and information, and for customers accessing its services.
Of course, the work we do at the FIDO Alliance, creating and implementing new technology, is an important part of moving the world away from passwords and other weak forms of legacy authentication – but it isn’t the most critical piece. Industry-wide commitment to creating intuitive and common user journeys, underpinned by architectural best practices, will enable the kind of cultural shift and mass adoption of this technology that will be required if we want to remove passwords from our daily lives.
Collaboration and transparency are key ingredients that raise the bar for all involved – including for hackers, who need to have a far harder time executing remote attacks.