Happy CyberAware Month

In the USA, every October is National Cyber Security Awareness Month (NCSAM). This year the focus is on LockDownYourLogIn, a campaign to promote a safer, more secure and more trusted internet all month —and all year—long. NCSAM’s mission is to remind us all to take our online security a little more seriously.

With all that’s happened over the last year, we decided to look back at what was discussed that day – the first ever 2Factor Tuesday. On the panel were security leader Brett McDowell from the Fido Alliance, Google’s Stephan Somogyi, Derek Hanson of Yubico, and Marc Boroditsky of Twilio’s Authy.  Introduced by White House security lead, Michael Daniel, we hit on the challenges of changing login procedures, the reticence of users to adopt and deploy 2FA, and a whole lot more. Here is what we learned:

Passwords suck.

And, according to Stephan Somogyi, they are hostile to humans.

Every day is surprising and predictable.

The rash of increasingly serious, embarrassing, and business-breaking hacks and data breaches are changing the way we think and act. Back then it was Ashley Madison users being exposed and the CIA director’s AOL email account being phished by a teen. That seems innocent compared to the size and breadth of recent hacks.

The Feds have been scared straight.

Having seen their Office of Personnel Management hacked very publicly, the feds hit the reset button. Howver, even though every federal employee with administrator privileges now uses 2FA & more that 70% of non-administrators use it, the transition has been slow.

Win the hearts and minds.

As security leaders, we need to make 2FA solutions easy for developers to integrate, deploy and fall in love with. Winning the “hearts & minds” of the developers, who typically make security recommendations to their bosses, is the key to seeing 2FA adoption scale in businesses large and small.

And make it easy.

A key to wider adoption of 2FA is to give users a seamless login process. Too many bells & whistles and it’ll never get off the ground. But superb protection paired with an amazing UX? Done.

Cybercrime got real.

Stop imagining a guy in a dark basement hunched over a laptop. Today,  hacking is run like a business, and we need to treat cyber crime like it’s organized crime.

Consumer education is key.

Last year, the FBI sent out a bulletin urging small businesses and their customers to protect themselves by adopting 2FA. This occurred just a few months after the FBI itself was hacked. As more criminals use social engineering, password guessing, keyloggers and other technical tools to hack online accounts, consumer education on these vulnerabilities is key.

Who do you trust?

When it comes to digitally storing and transmitting personal information, the frequency and severity of recent data breaches could scare consumers away. If easy-to-use security measures aren’t put in place soon—and put in place across the board—everything from online and shopping, to banking, education, and use of digital medical records is at risk.

Change is hard – but should it be optional?

Why are organizations still asking consumers if they want to have better, easier-to-use security? If you require – and enforce – 2FA for account set-up and high-risk transactions, people won’t need to be educated on the benefits, they’ll just be happy their information wasn’t compromised.

Nothing happens until something moves.

If possible, we all take the path of least resistance. Governments, hospitals, learning institutions and small businesses are no exceptions. They stick with what they know, fearing that a move away from the simplicity of passwords will lose them customers or market share. But as the ball starts rolling, and more and more organizations start making the switch to 2FA. The reasons to stay the course get weaker & weaker, especially when 2FA provides a simpler and more intuitive user experience.

Shame works.

A majority of online services are still unprotected. To find out if your favorite sites care about your account security, check out the Two Factor Authy List.  Then write to them and tell them you want them to offer 2FA, now.

There will be blood.

As Michael Daniel said in his introduction to 2Factor Tuesday, “A world in which we’ve killed the password is a better world.” Watch the panel discussion in the video below.

Remember, online entities that you do business with are always vulnerable but it’s up to you to own your online presence! Actively manage your privacy and security settings to control who see the things you post online. And if you know someone who isn’t using 2FA, please send them our way.