Each October, Cybersecurity Awareness Month is celebrated to provide a much-needed focus on staying safe online with experts sharing their tips for improving security. After the month passes, cybersecurity once again falls to the back of most people’s minds, putting users – and the companies they work for – at continued risk, writes Nic Sarginson, Senior Solutions Engineer UK and Ireland and RSA at the Multi-Factor Authentication (MFA) key company Yubico.
Security measures must continue all year round – especially this year, as people have turned to technology in their droves to work, shop, and stay in touch. From going cashless, to learning remotely, to seeing doctors online, the pandemic has forced us to rely on our digital identities more than ever. But alongside this rise in online usage, there has also been a significant rise in phishing scams. Action Fraud revealed that more than £16 million was lost to online shopping fraud in three months during lockdown, while the National Cyber Security Centre (NCSC) issued a warning to education institutions that they are under threat from ransomware attacks.
From identity theft, to fraud, to account takeovers, it can all seem overwhelming for an individual trying to protect their digital domain. But as with any rising phenomenon, there are dangerous myths about cybersecurity that make the task of protecting identities online seem more difficult than it is.
Technology isn’t going away, nor is our reliance on online services, so it is important to learn about the threats we face and how to counter them. Once we have mastered this, we can stay connected without fear or risk of malicious intervention. The three most common threats to personal accounts that organisations should be making their users aware of are phishing, SIM swapping and credential stuffing – especially in the work-from-home era.
•Phishing: attackers use fake websites and emails that look genuine, persuading people to provide login details, personal information, and even credit card numbers.
•SIM swapping: an attacker, posing as the account holder, contacts the mobile service provider to switch the phone number to their own SIM, enabling them to receive one-time passcodes (OTPs) and gain access to banking and other accounts.
•Credential stuffing: if a company is hacked and user credentials are stolen from a leaked database, those accounts are at risk, along with any other accounts that use those same credentials. Cyber criminals will use an automated system to retry the stolen credentials across every account until they find success elsewhere.
These terms often appear in the media, usually in the wake of high-profile attacks, and people either assume they don’t apply to them or simply do not take notice. The problem is that by not familiarising themselves with these threats, users are at risk because they will be unable to identify them. This lack of awareness also leads to complacency and the assumption that any level of personal security will keep you protected – which is not necessarily the case.
Indeed, there are several common cybersecurity myths that enforce this damaging approach for the individual user. The most prevalent of these myths is that having unique and strong passwords for every account is enough. The reality is that usernames and passwords just aren’t up to the task of fully protecting your online accounts anymore. We are all told to use unique passwords for every login and even to use password managers to help us remember them all, and while that’s an important protocol to follow, it’s still no match for advanced cyber threats. No matter how long or complicated the password is, if your details are on a database that is breached then there’s nothing stopping an attacker from accessing your accounts.
Two-factor authentication (2FA) methods add a level of security beyond simply using a password but there is a misconception that all 2FA is the same – as long as you have something you’re good to go. Everyone is familiar with the one-time codes texted to our phones and while these are better than no form of 2FA at all, they are still susceptible to attacks – for example, SIM swapping or man-in-the-middle attacks have the ability to intercept these codes.
The most secure method of protecting against cyber threats is strong 2FA, but it is oftentimes perceived as being complicated and time consuming so many people are immediately put off. Strong 2FA is becoming a more commonly used term and while it does sound daunting, it just means boosting your login security with another form of simple and effective protection that is stronger than SMS text messages and one-time passcodes. Additionally, it doesn’t have to be time consuming; in fact it can be even more convenient. Options exist where you don’t have to remember hundreds of username and password combinations, or unsafely risk re-using the same one. Instead, with hardware tokens like FIDO security keys, you just tap the key once to securely access a range of digital services, from uploading a photo onto Facebook, to sending a work email, to checking your tax return on Gov.uk – all without having to worry about security.
The key to good online security is understanding the threats we face and not falling for the pervasive cybersecurity myths. Upgrading your security does not have to be complicated, and strong two-factor authentication provides a higher level of protection against threats throughout the year. Once we’ve overcome the common misconceptions about authentication, we’ll all be much safer online.
