October 2017: National Cyber Security Awareness Month
In the USA, every October is National Cyber Security Awareness Month. This year the focus is on how digital security is a responsibility we all share, and how we should all take our online security a little more seriously. You can start by sharing this excellent tip sheet with anyone you know who may not know about using two-factor authentication, the importance of backing up files, or keeping a clean machine.
With all the hacks and breaches that have happened recently, we decided to look back at a panel discussion that took place during the first Cyber Security Awareness Month. On the panel were security leaders from the Fido Alliance, Google, Yubico, and Authy. The discussion, which hit on the challenges of changing login procedures, the reticence of users to adopt and deploy 2FA, and a whole lot more, was led by the Obama administration security lead, Michael Daniel. Here is what we learned:
And, according to Google’s Stephan Somogyi, they are hostile to humans.
Every day is surprising and predictable.
The rash of increasingly serious, embarrassing, and business-breaking hacks and data breaches are changing the way we think and act. Back then it was Ashley Madison users being exposed and the CIA director’s AOL email account being phished by a teen. That seems innocent compared to the size and breadth of recent hacks.
The Feds have been scared straight.
Having seen their Office of Personnel Management hacked very publicly, the feds hit the reset button. However, even though every federal employee with administrator privileges was tasked to use 2FA, the transition has been slow.
Win the hearts and minds.
As security leaders, we need to make 2FA solutions easy for developers to integrate, deploy and fall in love with. Winning the “hearts & minds” of the developers, who typically make security recommendations to their bosses, is the key to seeing 2FA adoption scale in businesses large and small.
And make it easy.
A key to wider adoption of 2FA is to give users a seamless login process. Too many bells & whistles and it’ll never get off the ground. But superb protection paired with an amazing UX? Done.
Cybercrime got real.
Stop imagining a guy in a dark basement hunched over a laptop. Today, hacking is run like a business, and we need to treat cybercrime like it’s organized crime.
Consumer education is key.
Since 2015, the FBI has regularly sent out a bulletin urging small businesses and their customers to protect themselves by adopting 2FA. This occurred just a few months after the FBI itself was hacked. As more criminals use social engineering, password guessing, keyloggers and other technical tools to hack online accounts, consumer education on these vulnerabilities is key.
Who do you trust?
When it comes to digitally storing and transmitting personal information, the frequency and severity of recent data breaches could scare consumers away. If easy-to-use security measures aren’t put in place soon—and put in place across the board—everything from online and shopping, to banking, education, and use of digital medical records is at risk.
Change is hard – but should it be optional?
Why are organizations still asking consumers if they want to have better, easier-to-use security? If you require – and enforce – 2FA for account set-up and high-risk transactions, people won’t need to be educated on the benefits, they’ll just be happy their information wasn’t compromised.
Nothing happens until something moves.
If possible, we all take the path of least resistance. Governments, hospitals, learning institutions and small businesses are no exceptions. They stick with what they know, fearing that a move away from the simplicity of passwords will lose them customers or market share. But as the ball starts rolling, and more and more organizations start making the switch to 2FA. The reasons to stay the course get weaker and weaker, especially when 2FA provides a simpler and more intuitive user experience.
A majority of online services are still unprotected. To find out if your favorite sites care about your account security, check out the Two Factor Auth List. Then write to them and tell them you want them to offer 2FA, now.
There will be blood.
As Michael Daniel said in his introduction, “A world in which we’ve killed the password is a better world.” Watch the panel discussion in the video below.
Remember, online entities that you do business with are always vulnerable but it’s up to you to own your online presence! Actively manage your privacy and security settings to control who see the things you post online. And if you know someone who isn’t using 2FA, please mention they can download the Authy app here!