By Nic Sarginson, Principal Solutions Engineer, at Yubico
Digital transformation strategies have contributed to a fast pace of technological change. With this comes an ever-increasing frequency of cyber-attacks as attackers look to exploit and circumnavigate new technologies. To counteract this, global regulators and policymakers have been enacting or modifying laws to protect sensitive and critical data at all levels. For example, the EU General Data Protection Regulation (GDPR) became the gold standard for data protection and user privacy, ushering in a rapid pace of regulatory change.
Recently, the Covid-19 pandemic has accelerated global digital transformation efforts as businesses around the world had to rapidly adapt and digitise. This has resulted in greater pressure on regulators and policymakers to protect the public from the risks associated with this “new normal”. As an example, in 2021 President Biden enacted an executive order to improve cybersecurity initiatives throughout the US. This is a powerful example of the fact that these issues are a matter of national security. That pressure is in turn transferred to security teams who must meet the burden of compliance.
Key regulatory changes
Protecting citizens and services, especially those that are critical, from attacks is undoubtedly an ongoing battle for regulators and policymakers. In fact, many government agencies tend to fall victim to the same attacks, as they hold large quantities of valuable data. With technology advancing, regulation must also keep pace so that organisations can be protected against increasingly sophisticated and frequent cyberattacks.
The biggest regulatory change in recent years was the introduction of GDPR in 2018. This enforced major changes in data protection and privacy, stressing the importance of security measures and governing how data and customer information is managed by companies. Within some sectors, regulation standards require authentication methods and secure access controls to be implemented when handling critical and classified data.
Yet not all authentication methods provide equal protection against today’s cyber threats. While basic authentication such as the username and password combination, and even forms of two-factor authentication (2FA) such as SMS-based one-time passcodes (OTPs) are better than nothing, they are not sufficiently strong enough when it comes to protecting data, systems, and applications from attackers. In response, industry regulations are beginning to address authentication minimum standards for access and control, while others are relying on frameworks, like Zero Trust, to provide guidance.
In June 2021, the EU Commission revealed its plans to revise the electronic IDentification, Authentication and trust Services (eIDAS) mandate, aimed to ensure secure digital interactions between organisations, government authorities, and individuals when travelling. This regulation will pertain to online authentication, digital signatures, and national electronic ID policies.
The profile of an attack
The pandemic has accelerated growth in cybercrime at an ‘alarming rate’. With organisations rapidly deploying remote systems and networks to support home working, attackers have taken advantage of increased security vulnerabilities. Once a target has been compromised, cybercriminals have the freedom to seek out and obtain valuable digital assets from companies, particularly those with weak authentication and access credentials. There are a wide range of methods cybercriminals can utilise that are programmed specifically to steal the credentials of companies with poor and inadequate security measures in place.
For example, Man in the middle (MitM) attacks where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. Password spraying occurs when naïve online users choose generic or commonly used passwords when creating their various accounts. With this, cybercriminals can then try these passwords against the users’ accounts to gain access to their private information.
SIM swapping happens when an attacker tricks a mobile provider into changing a target’s mobile number to a SIM card that the attacker can control. Both the user and the authentication device (their phone) have been cloned essentially and services are simply replying on that number. From there, OTPs and other credential verifications meant for the original user are instead directed to the attacker.
Phishing works by posing as a trusted or legitimate source, usually by email and tricking a target into opening a website or link provided. The target will then be prompted to provide their login details to what is believed to be a trusted website and unknowingly share their information with the attacker. Use of this method is very widespread and commonly experienced.
Solutions to implement
The most basic level of 2FA along with traditional usernames and passwords, are not as advanced in protecting data and from the level of sophistication by modern cyberthreats. To better protect themselves while continuing with new digital transformation processes, organisations should consider adopting newer methods of stronger authentication and security that can effectively withstand and prevent emerging cyber threats.
Multi-factor authentication (MFA) and strong 2FA have been proven to offer this, requiring users to provide more than just one verification step to prove their identity. To best safeguard individuals’ and organisations’ data, and prevent mass disruptions to public services, security protocols need to incorporate stronger authentication and comply with government regulations. Enhanced verification through hardware-based authentication and FIDO2, as examples, can further counteract attempts to compromise security credentials.
Such innovative devices have been able to combat MitM attacks and phishing while stopping organisations from being compromised. As part of their digital transformation initiatives, in October 2021 Google announced plans to auto-enrol 150 million of its users into a 2FA programme and to make it a required process for two million of its YouTube creators.
With such a high proportion of cyber-attacks focusing on credential theft, strong authentication holds the key to drastically reducing the impact. As organisations embark on digital transformation initiatives, they must ensure that they are deploying security programmes which both comply with regulations and incorporate strong authentication to thwart attacks. Additional verification via hardware-based authentication, for instance, helps to counteract the risks associated with stolen credentials. Hardware-backed security devices are leading the way in eliminating phishing and MitM attacks, protecting users from having their credentials compromised and organisations from being breached.