The volume and profile of data breaches are not only growing — they’re accelerating. In just one year, from 2018 to 2019, reported breaches jumped 54 percent. The first half of 2019 alone saw more than 4.1 billion compromised records due to hackers and poor security practices.
Even major organizations have fallen victim to cyberattacks. For example the Capital One data breach led to the exposure of over 100 million credit card applications and accounts in July 2019. Other notable breaches so far this year include Canva, DoorDash, Facebook, and Quest Diagnostics — just to name a few.
So why the surge in data breaches? The answer involves a variety of complex nuances, but there are two primary reasons for the huge increase in successful attacks:
- The growing commoditization of tools and technologies available to hackers to launch such attacks.
- The inability of organizations to keep security preparedness up-to-date with the volume and technology advances of cyberattacks.
The problem is apparent, but organizations are not taking action.
The rapid growth in security breaches has caused companies to realize the importance of implementing two-factor and biometrics-based authentication. Now, 86 percent of executives believe that two-factor authentication is required for better security preparedness and 75 percent feel the same way about biometrics.
However, as the same report indicates, less than half have actually implemented some form of two-factor authentication and even fewer companies have started using biometrics. This disconnect reveals the wide gap between the aspirations and the realities of cybersecurity protocols within most organizations.
Why aren’t more companies using these methods?
The technologies to stop data breaches in their tracks are not new. Readily-available options include passwordless biometric authentication and two-factor authentication. But, as a recent ThumbSignIn survey discovered, bureaucratic and organizational issues are slowing the adoption of these technologies by enterprises.
Among respondents, 76 percent cited the complexity of implementation as a blocker, 45 percent claimed concerns about process disruption and 48 percent reported uncertainty around user adoption. But, these perceived obstacles fail to account for the enormous vulnerabilities created by failing to adopt best practices — especially in regards to protecting passwords.
The (very big) problem with passwords
Passwords are a prized catch for hackers. People tend to heavily reuse them across online services, so finding the password to one online service often unlocks accounts on others — including sensitive work files.
Imagine, for example, that an employee with access to important data uses the same password for their Uber account as their work systems. If Uber is hacked and this individual’s password is sold to nefarious actors, it is then exceedingly easy for the cybercriminals to log into their work systems and compromise an organization’s entire database of sensitive information.
Phishing scams are also becoming increasingly sophisticated. If a hacker sends a convincing — but fraudulent — email to an entire company, it only takes one person getting duped and entering their password to expose the whole system.
It is well known among security experts that passwords are the weakest link in cybersecurity. A vast majority of data breaches are a result of weak or stolen passwords, as found by Verizon's 2016 data breach report.
The easiest, most effective way to counter these attempts by hackers is passwordless biometric authentication technologies. This tech is already mature and has existed for some time.
Following FIDO best practices
Companies have been slow to adopt such effective defenses due to a lack of awareness about strong authentication solutions, especially those based on the FIDO2 WebAuthn specifications. These best practices are now the de-facto standard for strong authentication on the internet after becoming a W3C standard in March of 2019.
FIDO guidelines have proven very effective against hacking attempts, particularly those related to MITM (man-in-the-middle) attacks, replay attacks, masquerade attacks and phishing. Even though the specifications are a few years old, perceptions surrounding the necessity of FIDO are abysmally low. Only 18 percent of respondents to the ThumbSignIn survey feel they are necessary. An overwhelming majority are either unaware of FIDO or consider it "good to have" instead of essential.
Clearly, much more education and awareness is required for organizations to understand the benefits of such standards-based protocols. Only tech giants like Google and Microsoft are consistently complying with FIDO — even industries with vast amounts of sensitive data, such as healthcare and financial services, have a lot of catching up to do.
Getting started with better cybersecurity
The first step in improving the security of enterprise systems is to know your data. Many companies are not fully aware of what information is stored within their technology platforms, or how sensitive it is, due to the complexity of legacy systems and the massive growth of digital data from mobile devices.
Once you have an inventory of your company’s data landscape, you can implement measures like encryption and biometric authentication. It’s crucial to remove single-step password access to any sensitive information.
Simultaneously, employees must receive training and education to avoid falling for hacker schemes like phishing. Something as seemingly innocuous as an email attachment from an unknown sender could compromise a database.
Enterprises should also invest in monitoring controls, which will alert the IT team to any unusual activity and allow them to contain a hack — if possible — before it spreads.
Your systems are highly vulnerable to cyberattacks without these measures. It takes constant vigilance and significant resource investment to protect sensitive data, but it’s far cheaper than the cost of a breach. By familiarizing yourself with FIDO and following the steps outlined here, your company will stand a stronger chance against the increasing sophistication of cyberattacks by malicious actors. And don’t wait to take action — as proven by major hacks like the Capital One incident, it’s not a question of if but a question of when a breach will happen.