The COVID 19 pandemic has brought about a sea-change in the business world. Organizations have come to embrace the work-from-home model powered by digital transformation. With this new transition of working from remote locations becoming mainstream, there has been an explosion in potentially unsecured remote working endpoints and connections that has led to a spike in the number of phishing attacks launched against organizations. According to a survey report launched by Barracuda Networks last year, ‘Brave the New Normal’, 66% of respondents said they’d already experienced a major security scare since the remote working transition, and employees from 67% of Indian organisations had observed an increase in phishing attacks after shifting to remote working. The pandemic has given an opportunity to the scammers to craft enticing phishing emails, resulting in email account takeover, data theft, or even crippling ransomware-related service outages of organisations.
It has been argued that remote employees are more distracted and therefore susceptible to phishing scams, which are among the most common and dangerous type of attack that organisations face. It is the lack of protection on home devices and networks and vulnerabilities in key web applications that leave them more exposed.Users have multiple passwords for accessing varied online solutions utilised for business use as it is not advised to use thesame password in all the applications. There are high chances of being unable to remember each one of them. Attacks can occur even if there is a passwords manager and once they get hacked, all the rest of them could be compromised.
A survey “A state of Passwordless Security” conducted on 425 IT professionals and published by HYPR identified 90% of respondents experienced phishing attacks against their organization in 2020. Nearly a third (29%) said they also experienced a credential stuffing attack where cyber criminals were attempting to employ a large number of stolen user identification names and passwords to compromise applications and systems.
This may sound scary but there is a world beyond passwords, known as passwordless authentication. It’s a system that switches the use of traditional passwords with safer and secure methods like fingerprints, magic links, etc., delivered through a text message or email. It eliminates the need to generate a password to gain access to the systems
Unfortunately, nearly half of the survey respondents (48%) of the survey said they still lack a passwordless solution. However, those who had, said that the primary reason behind investing in a multi-factor authentication (MFA) was to impede phishing attacks, followed by providing a better user experience.
Adopting passwordless solutions
Passwords are just fundamentally not secure.The best way to protect users and their sensitive information is by providing a more intuitive, and secure way through passwordless authentication. Unfortunately, it is not being widely employed yet, and even when it is used, the term passwordless remains open to interpretation. However, many organizations still rely on two-step multi-factor authentication to verify users. The HYPR-issued survey results indicates 61% reporting their approach to a “passwordless” solution but still needing a shared secret as an underlying password, a one-time password (OTP), or an SMS code. On the brighter side, 90% of respondents consider it essential or somewhat important to eliminate shared secrets for authentication.
Moving beyond passwords
Amid the frequency of phishing attacks, it is evident that the current dependence on passwords is obsolete. While phishing attacks have been a prevailing issue, the shift of employees to remote working has increased them resulting in compromised passwords that belong to corporate employees. These passwords are then used by the malicious actors pretending to be someone else. The increased reliance on digital business processes further intensifies the potential damage those malicious actors can inflict on.Amid the frequency of phishing attacks, it is evident that the current dependence on passwords is obsolete. While phishing attacks have been a prevailing issue, the shift of employees to remote working has increased them resulting in compromised passwords that belong to corporate employees. These passwords are then used by the malicious actors pretending to be someone else. The increased reliance on digital business processes further intensifies the potential damage those malicious actors can inflict on.
To eliminate such threats, it is essential to eliminate the password once and for all as it is not possible to change the behavior of cyber criminals. Since organizations have control over the to rely on for authenticating end-users, they need to own up to the fact that they are more a part of the phishing problem than the solution at present and adopting passwordless solutions will be the only way of reducing the risk of attacks and online threats.
(The author is Country Manager, India, Barracuda Networks and the views expressed in the article are his own)