Consumer behaviors and cyber risks of holiday shopping in 2020

While consumers are aware of increased risks and scams via the internet, they still plan to do more shopping online – and earlier – this holiday season, McAfee reveals.

holiday shopping cyber risks

Thirty-six percent of Americans note they are hitting the digital links to give gifts and cheer this year, despite 60% feeling that cyber scams become more prevalent during the holiday season.

While more than 124 million consumers shopped in-store during the 2019 Black Friday to Cyber Monday holiday weekend, the survey indicates consumers have shifted direction due to global events this year, opening their risk to online threats as they live, work, play, and buy all through their devices.

The survey shows shopping activity in general has increased, with 49% stating they are buying online more since the onset of COVID-19. 18% of consumers are even shopping online daily, while 34% shop online 3-5 days a week.

Online cybercrime continues to increase

The research team recently found evidence that online cybercrime continues to increase, observing 419 threats per minute in Q2 2020, an increase of almost 12% over the previous quarter.

With activity set to rise from both consumers and criminals, there is an added concern of whether consumers are taking security threats as seriously as they should – with key differences seen across generational groups:

  • 79% of those 65+ in age believe there is a greater cyber risk due to COVID-19 while 70% of those 18-24 state the same
  • 27% of respondents ages 18-24 report checking if emailed or text messaged discounts and deals sent to them are authentic

“Many are wondering what this year’s holiday season will look like as consumer shopping behaviors continue to evolve and adapt to the challenges faced throughout 2020,” said Judith Bitterli, VP of Consumer Marketing, McAfee.

“With results showing the growing prevalence of online shopping, consumers need to be aware of how cybercriminals are looking to take advantage and take the necessary steps to protect themselves- and their loved ones- this holiday season.”

This juxtaposition of increased online activity from both consumers and cybercriminals serves as the perfect catalyst for misdeeds, especially as 36% of consumers note that while they are aware of risks, they plan to increase their holiday online shopping. This less-than-cautious approach is further seen when respondents are offered deals or discounts, with 43% checking to see if Black Friday or Cyber Monday emails and text messages sent are authentic and trustworthy.

Consumers purchasing more online gift cards this year

Additionally, as the National Retail Federation (NRF) reports 54% of consumers wish to receive gift cards this holiday season, the survey proved that 35% of respondents plan to fulfill this request by purchasing more online gift cards this year.

With this alignment set to occur, there are potentially negative implications as 25% of respondents automatically assume gift card links are safe and don’t always take the necessary steps to ensure legitimacy.

In order to stay safe this holiday season, it is advised to:

  • Employ multi-factor authentication to double check the authenticity of digital users and add an additional layer of security to protect personal data and information.
  • Browse with caution and added security using a tool to block malware and phishing sites via malicious links.
  • Protect your identity and important personal and financial details using an identity theft protection tool, which also includes recovery tools should your identity be compromised.

The security consequences of massive change in how we work

Organizations underwent an unprecedented IT change this year amid a massive shift to remote work, accelerating adoption of cloud technology, Duo Security reveals.

security consequences work

The security implications of this transition will reverberate for years to come, as the hybrid workplace demands the workforce to be secure, connected and productive from anywhere.

The report details how organizations, with a mandate to rapidly transition their entire workforce to remote, turned to remote access technologies such as VPN and RDP, among numerous other efforts.

As a result, authentication activity to these technologies swelled 60%. A complementary survey recently found that 96% of organizations made cybersecurity policy changes during the COVID-19, with more than half implementing MFA.

Cloud adoption also accelerated

Daily authentications to cloud applications surged 40% during the first few months of the pandemic, the bulk of which came from enterprise and mid-sized organizations looking to ensure secure access to various cloud services.

As organizations scrambled to acquire the requisite equipment to support remote work, employees relied on personal or unmanaged devices in the interim. Consequently, blocked access attempts due to out-of-date devices skyrocketed 90% in March. That figure fell precipitously in April, indicating healthier devices and decreased risk of breach due to malware.

“As the pandemic began, the priority for many organizations was keeping the lights on and accepting risk in order to accomplish this end,” said Dave Lewis, Global Advisory CISO, Duo Security at Cisco. “Attention has now turned towards lessening risk by implementing a more mature and modern security approach that accounts for a traditional corporate perimeter that has been completely upended.”

Additional report findings

So long, SMS – The prevalence of SIM-swapping attacks has driven organizations to strengthen their authentication schemes. Year-over-year, the percentage of organizations that enforce a policy to disallow SMS authentication nearly doubled from 8.7% to 16.1%.

Biometrics booming – Biometrics are nearly ubiquitous across enterprise users, paving the way for a passwordless future. Eighty percent of mobile devices used for work have biometrics configured, up 12% the past five years.

Cloud apps on pace to pass on-premises apps – Use of cloud apps are on pace to surpass use of on-premises apps by next year, accelerated by the shift to remote work. Cloud applications make up 13.2% of total authentications, a 5.4% increase year-over-year, while on-premises applications encompass 18.5% of total authentications, down 1.5% since last year.

Apple devices 3.5 times more likely to update quickly vs. Android – Ecosystem differences have security consequences. On June 1, Apple iOS and Android both issued software updates to patch critical vulnerabilities in their respective operating systems.

iOS devices were 3.5 times more likely to be updated within 30 days of a security update or patch, compared to Android.

Windows 7 lingers in healthcare despite security risks – More than 30% of Windows devices in healthcare organizations still run Windows 7, despite end-of-life status, compared with 10% of organizations across Duo’s customer base.

Healthcare providers are often unable to update deprecated operating systems due to compliance requirements and restrictive terms and conditions of third-party software vendors.

Windows devices, Chrome browser dominate business IT – Windows continues its dominance in the enterprise, accounting for 59% of devices used to access protected applications, followed by macOS at 23%. Overall, mobile devices account for 15% of corporate access (iOS: 11.4%, Android: 3.7%).

On the browser side, Chrome is king with 44% of total browser authentications, resulting in stronger security hygiene overall for organizations.

UK and EU trail US in securing cloud – United Kingdom and European Union-based organizations trail US-based enterprises in user authentications to cloud applications, signaling less cloud use overall or a larger share of applications not protected by MFA.

Fraudsters increasingly creative with names and addresses for phishing sites

COVID-19 continues to significantly embolden cybercriminals’ phishing and fraud efforts, according to research from F5 Labs.

phishing sites

The report found that phishing incidents rose 220% during the height of the global pandemic compared to the yearly average. The number of phishing incidents in 2020 is now set to increase 15% year-on-year, though this could soon change as second waves of the pandemic spread.

The three primary objectives for COVID-19-related phishing emails were identified as fraudulent donations to fake charities, credential harvesting and malware delivery.

Attackers’ brazen opportunism was in further evidence when certificate transparency logs (a record of all publicly trusted digital certificates) were examined.

The number of certificates using the terms “covid” and “corona” peaked at 14,940 in March, which represents a massive 1102% increase on the month before.

“The risk of being phished is higher than ever and fraudsters are increasingly using digital certificates to make their sites appear genuine,” said David Warburton, Senior Threat Evangelist at F5 Labs.

“Attackers are also quick to jump onto emotive trends and COVID-19 will continue to fuel an already significant threat. Unfortunately, our research indicates that security controls, user training and overall awareness still appear to be falling short across the world.”

Names and addresses of phishing sites

As per previous years’ research, fraudsters are becoming ever more creative with the names and addresses of their phishing sites.

In 2020 to date, 52% of phishing sites have used target brand names and identities in their website addresses. By far the most common brand to be targeted in the second half of 2020 was Amazon.

Additionally, Paypal, Apple, WhatsApp, Microsoft Office, Netflix and Instagram were all in the top 10 most frequently impersonated brands.

By tracking the theft of credentials through to use in active attacks, criminals were attempting to use stolen passwords within four hours of phishing a victim. Some attacks even occurred in real time to enable the capture of multi-factor authentication (MFA) security codes.

Meanwhile, cybercriminals were also got more ruthless in their bid to hijack reputable, albeit vulnerable URLs – often for free. WordPress sites alone accounted for 20% of generic phishing URLs in 2020. The figure was as low as 4,7% in 2017.

Furthermore, cybercriminals are increasingly cutting costs by using free registrars such as Freenom for certain country code top-level domains (ccTLDs), including .tk, .ml, .ga, .cf, and .gq. As a case in point, .tk is now the fifth most popular registered domain in the world.

Hiding in plain sight

2020 also saw phishers ramp up their bid to make fraudulent sites appear as genuine as possible. Most phishing sites leveraged encryption, with a full 72% using valid HTTPS certificates to seem more credible to victims. This year, 100% of drop zones – the destinations of stolen data sent by malware – used TLS encryption (up from 89% in 2019).

Combining incidents from 2019 and 2020, 55.3% of drop zones used a non-standard SSL/TLS port were additionally reported. Port 446 was used in all instances bar one. An analysis of phishing sites found 98.2% using standard ports: 80 for cleartext HTTP traffic and 443 for encrypted SSL/TLS traffic.

The future of phishing

According to recent research from Shape Security, which was integrated with the Phishing and Fraud report for the first time, there are two major phishing trends on the horizon.

As a result of improved bot traffic (botnet) security controls and solutions, attackers are starting to embrace click farms.

This entails dozens of remote “workers” systematically attempting to log onto a target website using recently harvested credentials. The connection comes from a human using a standard web browser, which makes fraudulent activity harder to detect.

Even a relatively low volume of attacks has an impact. As an example, Shape Security analysed 14 million monthly logins at a financial services organisation and recorded a manual fraud rate of 0,4%. That is the equivalent of 56,000 fraudulent logon attempts, and the numbers associated with this type of activity are only set to rise.

Researchers also recorded an increase in the volume of real-time phishing proxies (RTPP) that can capture and use MFA codes. The RTPP acts as a person-in-the-middle and intercepts a victim’s transactions with a real website.

Since the attack occurs in real time, the malicious website can automate the process of capturing and replaying time-based authentication such as MFA codes. It can even steal and reuse session cookies.

Recent real-time phishing proxies in active use include Modlishka2 and Evilginx23.

Phishing attacks will continue to be successful as long as there is a human that can be psychologically manipulated in some way. Security controls and web browsers alike must become more proficient at highlighting fraudulent sites to users,” Warburton concluded.

“Individuals and organisations also need to be continuously trained on the latest techniques used by fraudsters. Crucially, there needs to be a big emphasis on the way attackers are hijacking emerging trends such as COVID-19.”

78% of Microsoft 365 admins don’t activate MFA

On average, 50% of users at enterprises running Microsoft 365 are not managed by default security policies within the platform, according to CoreView.

Microsoft 365 MFA

Microsoft 365 administrators fail to implement basic security like MFA

The survey research shows that approximately 78% of Microsoft 365 administrators do not have multi-factor authentication (MFA) activated.

According to SANS, 99% of data breaches can be prevented using MFA. This is a huge security risk, particularly during a time when so many employees are working remotely.

Microsoft 365 admins given excessive control

Microsoft 365 administrators are given excessive control, leading to increased access to sensitive information. 57% of global organizations have Microsoft 365 administrators with excess permissions to access, modify, or share critical data.

In addition, 36% of Microsoft 365 administrators are global admins, meaning these administrators can essentially do whatever they want in Microsoft 365. CIS O365 security guidelines suggests limiting the number of global admins to two-four operators maximum per business.

Investing in productivity and operation apps without considering security implications

The data shows that US enterprises (on average, not collectively) utilize more than 1,100 different productivity and operations applications, which indicates a strong dedication to the growing needs of business across departments, locations, and time zones.

While increased access to productivity and operations apps helps fuel productivity, unsanctioned shadow IT apps have varying levels of security, while unsanctioned apps represent a significant security risk.

Shadow IT is ripe for attack and according to a Gartner prediction, this year, one-third of all successful attacks on enterprises will be against shadow IT resources.

Many orgs underestimate security and governance responsibilities

Many businesses underestimate the security and governance responsibilities they take on when migrating to Microsoft 365. IT leaders often assume that Microsoft 365 has built-in, fool-proof frameworks for critical IT-related decisions, such as data governance, securing business applications, and prioritizing IT investments and principles.

The research disprove this by revealing that many organizations struggle with fundamental governance and security tasks for their Microsoft 365 environment. Today’s remote and hybrid working environment requires IT leaders to be proactive in prioritizing security and data governance in Microsoft 365.

Biometric device revenues to drop 22%, expected to rebound in 2021

In the aftermath of the COVID-19 pandemic, global biometric device revenues are expected to drop 22%, ($1.8 billion) to $6.6 billion, according to a report from ABI Research. The entire biometrics market, however, will regain momentum in 2021 and is expected to reach approximately $40 billion in total revenues by 2025.

biometric device revenues 2020

Global biometric device revenues in 2020

“The current decline in the biometrics market landscape stems from multifaceted challenges from a governmental, commercial, and technological nature,” explains Dimitris Pavlakis, Digital Security Industry Analyst.

“First, they have been instigated primarily due to economic reforms during the crisis which forced governments to constrain budgets and focus on damage control, personnel well-being, and operational efficiency.

“Governments had to delay or temporarily cancel many fingerprint-based applications related to user/citizen and patient registration, physical access control, on-premise workforce management, and certain applications in border control or civil, welfare, immigration, law enforcement, and correctional facilities.

“Second, commercial on-premise applications and access control suffered as the rise of the remote workers became the new norm for the first half of 2020. Lastly, hygiene concerns due to contact-based fingerprint technologies pummelled biometrics revenues forcing a sudden drop in fingerprint shipments worldwide.”

Not all is bleak, though

New use-case scenarios have emerged, and certain technological trends have risen to the top of the implementation lists. For example, enterprise mobility and logical access control using biometrics as part of multi-factor authentication (MFA) for remote workers.

“Current MFA applications for remote workers might well translate into permanent information technology security authentication measures in the long term,” says Pavlakis. “This will improve biometrics-as-a-service (BaaS) monetization and authentication models down the line.”

Biometrics applications can now look toward new implementation horizons, with market leaders and pioneering companies like Gemalto (Thales), IDEMIA, NEC, FPC, HID Global, and Cognitec at the forefront of innovation.

“Future smart city infrastructure investments will now factor in additional surveillance, real-time behavioral analytics, and face recognition for epidemiological research, monitoring, and emergency response endeavors,” Pavlakis concludes.

Bring your own PC and SASE security to transform global businesses

Bring your own PC (BYOPC) security will reach mainstream adoption in the next two to five years, while it will take five to 10 years for mainstream adoption of secure access service edge (SASE) to take place, according to Gartner. Hype cycle for endpoint security, 2020 “Prior to the COVID-19 pandemic, there was little interest in BYOPC,” said Rob Smith, senior research director at Gartner. “At the start of the pandemic, organizations simply had no … More

The post Bring your own PC and SASE security to transform global businesses appeared first on Help Net Security.

In reality, how important is zero trust?

Although most IT and security professionals think of zero trust as an important part of their cybersecurity approach, many still have a long way to go on their quest to deploying it, according to Illumio.

cybersecurity zero trust

Especially as users continue to move off campus networks to a distributed work-from-home model and face new and expanding threat vectors, organizations must quickly adopt the zero trust security mindset of “never trust, always verify” to mitigate the spread of breaches by limiting access and preventing lateral movement.

Notably, 49 percent of the participants surveyed find zero trust to be critical to their organizational security model. Only 2 percent of business leaders believe zero trust is nonessential for their enterprise security posture.

“Zero trust is mission critical to any cybersecurity strategy. Adversaries don’t stop at the point of breach – they move through environments to reach their intended target or access your crown jewels,” said Matthew Glenn, senior vice president of product management at Illumio.

“In today’s world, stopping the lateral movement of attackers has become fundamental to a defender’s job. What’s more, as employees continue to work remotely at scale, it is essential to extend zero trust to the endpoint to further reduce the attack surface and secure the enterprise.”

Zero trust adoption is just beginning

While organizations clearly value zero trust as a necessary part of their cybersecurity strategy, widespread adoption is lacking. Of the respondents who find zero trust to be extremely or very important to their security posture, only 19 percent have fully implemented or widely implemented their zero trust plan.

Over a quarter of these leaders have begun their zero trust planning or deployment process. In short, all but 9 percent of the organizations surveyed are in some way working toward achieving zero trust.

Technologies bolstering the zero trust journey

No single product or solution enables organizations to achieve zero trust alone, so Illumio asked which technologies companies have implemented on their journey to achieve zero trust. Not surprisingly, solutions with a lower barrier to entry, like multi-factor authentication (MFA) and single sign-on (SSO), are more widely adopted.

Still, 32 percent of respondents have adopted campus-wide segmentation, another 30 percent have incorporated software-defined perimeter (SDP) technologies, and 26 percent are leveraging micro-segmentation, a key zero trust technology for preventing the lateral movement of attackers.

cybersecurity zero trust

What’s next?

In the intermediate term, beyond six months, most respondents plan to implement micro-segmentation and SDP, which will pave the way for zero trust adoption at scale. In fact, 51 percent of respondents plan to deploy micro-segmentation as one of their primary zero trust controls, given its effectiveness and importance in preventing high-profile breaches by stopping lateral movement.

Lastly, over the next six months, 23 percent of organizations plan to implement MFA and 18 percent plan to deploy SSO.

Healthcare technology goals and CIO challenges

LexisNexis Risk Solutions announced the results of its annual focus group, comprised of over 20 healthcare IT executives that are members of the College of Healthcare Information Management Executives (CHIME).

healthcare technology goals

The focus group participants accepted more accountability than in previous years to provide the safe and reliable technology tools necessary to deliver high-quality, connected, and cost-effective care.

The survey results also highlighted the importance of a team approach with support across the organization in helping CIOs achieve the vision of connected healthcare.

While the focus group came together before the COVID-19 pandemic struck, the technology priorities for 2020 – from data sharing and security to using data analytics to help vulnerable populations – have become more urgent in light of the pandemic challenges. For example, recent months have illustrated the need for data access to inform decisions about population health, wellness and care capacity.

The surveyed executives identified three main priority areas for 2020.

Managing interoperability

Members acknowledged challenges amid the surge of digital touchpoints, such as mobile phones, smart devices and remote services.

Goals include a common patient identifier to combine and verify disparate patient records for a true health information exchange.

Bolstering cybersecurity

Members are confronting new cybersecurity risks, confusion over who bears the ultimate responsibility for patient data, and the competing goals of seamless user experience and data safety.

To address that final challenge and strike an appropriate balance, executives are moving to multifactor authentication strategies for optimal user workflow and security.

Integrating Social Determinants of Health (SDOH)

As the pandemic has highlighted, incorporating SDOH data is a vital, immediate requirement for improving the delivery of patient support and value-based care, and ultimately, outcomes.

Executives shared SDOH implementation challenges, including data aggregation and operationalization within IT and EHR systems, especially when not utilizing third-party data to support their efforts. While CIOs previously had not perceived specific accountability for SDOH data, that changed as its value was demonstrated.

“CHIME’s executive health IT members are approaching evolving patient and industry needs with careful consideration, ingenuity and focus,” said Josh Schoeller, CEO of LexisNexis Risk Solutions Health Care.

“Our annual focus group presents valuable insights about how healthcare decision-makers are strategically using technology solutions to overcome hurdles regarding cybersecurity, data governance, and interoperability, all of which have become more urgent during the COVID-19 pandemic.

“It’s a big challenge but with the right data integration and analytics they continue to make great progress even in the face of the COVID-19 pandemic.”

Also encouraging, focus group participants reported solid results when rallying support from stakeholders across the enterprise to participate in tough conversations about information security, privacy, operations, compliance, and clinical and accountable care.

2020: The year of increased attack sophistication

There was an increase in both cyberattack volume and breaches during the past 12 months in the U.S. This has prompted increased investment in cyber defense, with U.S. businesses already using an average of more than nine different cybersecurity tools, a VMware survey found.

2020 increased attack sophistication

Increased attack sophistication in 2020

Key survey findings from U.S. respondents:

  • 92% said attack volumes have increased in the last 12 months, the survey found.
  • 97% said their business has suffered a security breach in the last 12 months. The average organization said they experienced 2.70 breaches during that time, the survey found.
  • 84% said attacks have become more sophisticated, the survey found.
  • 95% said they plan to increase cyber defense spending in the coming year.
  • OS vulnerabilities are the leading cause of breaches, according to the survey, followed by web application attacks and ransomware.
  • US companies said they are using an average of 9 different security technologies to manage their security program, the survey found.

Common breach causes in U.S.

The most common cause of breaches in the U.S. was OS vulnerabilities (27%). This was jointly followed by web application attacks with 13.5% and ransomware with 13%. Island-hopping was the cause of 5% of breaches.

Rick McElroy, Cyber Security Strategist at VMware Carbon Black, said: “Island-hopping is having an increasing breach impact with 11% of survey respondents citing it as the main cause. In combination with other third-party risks such as third-party apps and the supply chain, it’s clear the extended enterprise is under pressure.”

Complex multi-technology environments

US cybersecurity professionals said they are using an average of more than nine different tools or consoles to manage their cyber defense program, the survey found. This indicates a security environment that has evolved reactively as security tools have been adopted to tackle emerging threats.

Said McElroy: “Siloed, hard-to-manage environments hand the advantage to attackers from the start. Evidence shows that attackers have the upper hand when security is not an intrinsic feature of the environment. As the cyber threat landscape reaches saturation, it is time for rationalization, strategic thinking and clarity over security deployment.”

Supplemental COVID-19 survey

The latest research was supplemented with a survey on the impact COVID-19 has had on the attack landscape. According to the supplemental survey of more than 1,000 respondents from the U.S., UK, Singapore and Italy, 88% of U.S. cybersecurity professionals said attack volumes have increased as more employees work from home. 89% said their organizations have experienced cyberattacks linked to COVID-19 malware.

Key findings from the supplemental U.S. COVID-19-focused survey:

  • 89% said they have been targeted by COVID-19-related malware.
  • Inability to institute multi-factor authentication (MFA) was reported as the biggest security threat to businesses during COVID-19, the survey found.
  • 83% reported gaps in disaster planning around communications with external parties including customers, prospects, and partners.

“The global situation with COVID-19 has put the spotlight on business resilience and disaster recovery planning. Those organizations that have delayed implementing multi-factor authentication appear to be facing challenges, as 32% of U.S. respondents say the inability to implement MFA is the biggest threat to business resilience they are facing right now,” said Said McElroy.

Gaps in disaster recovery plans

U.S. survey respondents were asked whether COVID-19 had exposed gaps in their disaster recovery plans, and to indicate the severity of those gaps. Their responses showed that:

  • 83% of respondents reported gaps in recovery planning, ranging from slight to severe.
  • 83% said they had uncovered gaps in IT operations.
  • 84% said they encountered problems around enabling a remote workforce.
  • 83% said they’ve experienced challenges communicating with employees.
  • 83% said they had experienced difficulty communicating with external parties.
  • 63% said the situation uncovered gaps around visibility into cybersecurity threats.

Said McElroy: “These figures indicate that the surveyed CISOs may be facing difficulty in a number of areas when answering the demands placed on them by the COVID-19 situation.”

2020 increased attack sophistication

Risks directly related to the pandemic have also quickly emerged, the survey found. This includes rises in COVID-19 malware which was seen by 89% of U.S. respondents.

Said McElroy: “The 2020 survey results suggest that security teams must be working in tandem with business leaders to shift the balance of power from attackers to defenders. We must also collaborate with IT teams and work to remove the complexity that’s weighing down the current model.

“By building security intrinsically into the fabric of the enterprise – across applications, clouds and devices – teams can significantly reduce the attack surface, gain greater visibility into threats, and understand where security vulnerabilities exist.”

Remote working security challenges urge MFA implementation

The past few years have seen an increase in employees using personal devices and systems to access work emails and company databases, and exchange valuable information with colleagues, clients, and vendors. These tools can help people complete their jobs but are fraught with security challenges.

remote working mfa

The scale of this challenge increased considerably in 2020 due to the expanded use of devices to accommodate work-from-home mandates and consequent sudden surge in cybercrime.

Frost & Sullivan examined how threats and attacks exist around employees’ external systems and devices, and found that multi-factor authentication (MFA) can be easily leveraged by IT departments. It’s clear that companies can better protect themselves using tools more sophisticated than password protection.

A better user experience ensures full user adoption

“Passwords are no longer enough for businesses to secure their data. MFA has become a necessity for the modern business. However, MFA implementation and adoption can be cumbersome for IT departments and users,” explained Roberta Gamble, Partner and Vice President at Frost & Sullivan.

“Businesses need solutions that provide ease of installation and deployment, user-friendly tools and interface, and a clear method for the business to enforce usage.”

How do industry verticals shape IAM priorities?

IAM priorities differ by industry vertical, and a one-size-fits-all approach to IAM doesn’t work when every industry and business within that industry is unique, according to LastPass and Vanson Bourne.

IAM priorities

Each industry vertical has unique business needs, and as a result has different areas of focus when it comes to their IAM program.

Finance focused on reducing risk, while integrating IAM infrastructure

Financial service organizations deal with higher stakes than most verticals, which inevitably impacts how they manage employee access and authentication.

35 percent of IT professionals in this industry say hackers have gained access to their organizations in the past, which is not surprising given financial institutions experience the highest cybercrime costs out of all verticals at an average of $18.3 million per year.

According to the report, 70 percent of IT professionals in the finance industry say that reducing risk is a top priority and 65 percent state that integrating security infrastructure is their biggest area for improvement.

IT focused on IAM security benefits and prioritizes MFA

As information technology businesses are close to IAM software and managing customer’s data, it’s clear their relationship with technology impacts their IAM strategy. 77 percent in this industry say securing data is their top priority, while improving identity and access management is less of a focus with 61 percent noting that as a priority.

28 percent of IT and security professionals in this industry said they are planning to invest in multi-factor authentication (MFA) solutions which will help address their security challenges because MFA helps ensure only the right employees are able to access sensitive data.

IAM priorities

Media needs a secure, automated way to manage user access

Mass communication companies work with an array of external consultants to execute their programs, which leads to a wide array of users, both internally and externally, accessing business resources which complicates IAM.

34 percent of IT professionals in this industry say managing user access is important to their organization, compared to the overall average of all industries (9 percent). 44 percent say end users are demanding an easier to use solution and 49 percent say automating IAM processes is an area for improvement.

“Finance is focused on reducing risk and integrations, IT is prioritizing the security components of IAM, whereas media is focused on improving employee productivity.,” said John Bennett, General Manager, Identity and Access Management Business Unit at LogMeIn.

“It’s clear that flexibility, breadth of functionality and ease of use are critical so businesses can customize their IAM strategy in alignment with their business objectives. Organizations need to evaluate what their business needs are and build their IAM strategy based on those requirements.”

Password psychology: People aren’t protecting themselves even though they know better

People aren’t protecting themselves from cybersecurity risks even though they know they should, a study on password psychology by LogMeIn reveals.

password psychology

Password psychology

Year after year there is heightened global awareness of hacking and data breaches, yet consumer password behaviors remain largely unchanged. Data from the survey shows that 91 percent of people know that using the same password on multiple accounts is a security risk, yet 66 percent continue to use the same password anyway.

With people spending more time online, the evolution of cybersecurity threats and the unchanged behavior in creating and managing passwords creates a new level of concern around online security.

The global survey polled 3,250 individuals across the United States, Australia, Singapore, Germany, Brazil, and the United Kingdom and provides evidence that increased knowledge of security best practices doesn’t necessarily translate into better password management.

Global cyber threats continue to skyrocket but password behaviors unchanged

Password behaviors remain largely unchanged from the same study conducted two years ago — translating to some risky behaviors. 53 percent report not changing passwords in the past 12 months despite a breach in the news.

And while 91 percent know that using the same password for multiple accounts is a security risk, 66 percent mostly or always use the same password. This is up 8 percent from our findings in 2018.

Security-conscious thinking doesn’t translate to action

The data showed several contradictions, with respondents saying one thing and in turn, doing another. 77 percent say they feel informed on password best practices, yet 54 percent still try to memorize passwords and 27 percent write them down somewhere.

Similarly, 80 percent are concerned with having their passwords compromised, and yet 48 percent never change their password if not required.

Fear of forgetfulness, number one reason for password reuse

Most respondents (66 percent) use the same password for multiple accounts, which surprisingly has gone up 8 percent from our 2018 findings. Why? The fear of forgetting login information continues to be the number one reason for password reuse (60 percent), followed by wanting to know and be in control of all of their passwords (52 percent).

password psychology

Awareness and usage of MFA increasing

The good news is there is broad awareness and usage of multifactor authentication (MFA). Fortunately, 54 percent say they use MFA for their personal accounts and 37 percent are using it at work. Only 19 percent of survey respondents said they did not know what MFA was.

Respondents are also very comfortable with biometric authentication – using your fingerprint or face to login to devices or accounts. 65% said they trust fingerprint or facial recognition more than traditional text passwords.

“During a time where much of the world is working from home due to the disruption caused by the COVID-19 pandemic, and people are spending more time online, the cyber threats facing consumers are at an all-time high. Individuals seem to be numb to the threats that weak passwords pose and continue to exhibit behaviors that put their information at risk,” said John Bennett, SVP & GM of Identity and Access Management at LogMeIn.

“Taking just a few simple steps to improve how you manage passwords can lead to increased safety for your online accounts, whether personal or professional. Make World Password Day 2020 the tipping point for a change in your password behavior.”

iDevices finally get key-based protection against account takeovers

iDevices finally get key-based protection against account takeovers

For the past couple of years, iPhone and iPad users have been relegated second-class citizens when it comes to a cross-industry protocol that promises to bring effective multi-factor authentication to the masses. While Android, Windows, Mac, and Linux users had an easy way to use the fledgling standard when logging in to Google, GitHub, and dozens of other sites, the process on iPhones and iPads was either painful or non-existent.

Apple’s reticence wasn’t just bad for iPhone and iPad users looking for the most effective way to thwart the growing scourge of account takeovers. The hesitation was bad for everyone else, too. With one of the most important computing platforms giving the cold shoulder to WebAuthn, the fledgling standard had little chance of gaining critical mass.

And that was unfortunate. WebAuthn and its U2F predecessor are arguably the most effective protection against the growing rash of account takeovers. They require a person logging in with a password to also present a pre-enrolled fingerprint, facial scan, or physical security key. The setup makes most existing types of account takeovers impossible, since they typically rely solely on theft of a password.

Developed by the cross-industry FIDO alliance and adopted by the World Wide Web consortium in March, WebAuthn has no shortage of supporters. It has native support in Windows, Android, Chrome, Firefox, Opera, and Brave. Despite the support, WebAuthn has gained little more than niche status to date, in part because of the lack of support from the industry’s most important platform.

Now, the standard finally has the potential to blossom into the ubiquitous technology many have hoped it would become. That’s because of last week’s release of iOS and iPadOS 13.3, which provide native support for the standard for the first time.

More about that later. First, a timeline of WebAuthn and some background.

In the beginning

The handheld security keys at the heart of the U2F standard helped prepare the world for a new, superior form of MFA. When plugged into a USB slot or slid over an NFC reader, the security key transmitted “cryptographic assertions” that were unique to that key. Unlike the one-time passwords used by MFA authenticator apps, the assertions transmitted by these keys couldn’t be copied or phished or replayed.

U2F-based authentication was also more secure than one-time passwords because, unlike the authenticator apps running on phones, the security keys couldn’t be hacked. It was also more reliable since keys didn’t need to access an Internet connection. A two-year study of more than 50,000 Google employees a few years ago concluded that cryptographically based Security Keys beat out smartphones and most other forms of two-factor verification.

U2F, in turn, gave way to WebAuthn. The new standard still allows cryptographic keys that connect by USB or NFC. It also allows users to provide an additional factor of authentication using fingerprint readers or facial scanners built into smartphones, laptops, and other types of hardware the user already owns.

A plethora of app, OS, and site developers soon built WebAuthn into their authentication flows. The result: even when a password was exposed through user error or a database breach, accounts remained protected unless a hacker with the password passed the very high bar of also obtaining the key, fingerprint, or facial scan.

As Google, Microsoft, key maker Yubico, and other WebAuthn partners threw their support behind the new protocol, Apple remained firmly on the sidelines. The lack of support in macOS wasn’t ideal, but third-party support from the Chrome and Firefox browsers still gave users an easy way to use security keys. Apple’s inaction was much more problematic for iPhone and iPad users. Not only did the company provide no native support for the standard, it was also slow to allow access to near-field communication, a wireless communication channel that makes it easy for security keys to communicate with iPhones.

Poor usability and questionable security

Initially, the only way iPhones and iPads could use WebAuthn was with a Bluetooth-enabled dongle like Google’s Titan security key. It worked—technically—but it came with deal-breaking limitations. For one, it worked solely with Google properties. So much for a ubiquitous standard. Another dealbreaker—for most people, anyway—the installation of a special app and the process of pairing the keys to an iPhone or iPad was cumbersome at best.

Then in May, Google disclosed a vulnerability in the Bluetooth Titan. That vulnerability made it possible for nearby hackers to obtain the authentication signal as it was transmitted to an iPhone or other device. The resulting recall confirmed many security professionals’ belief that Bluetooth lacked the security needed for MFA and other sensitive functions. The difficulty of using Bluetooth-based dongles, combined with the perception that they were less secure, made them a non-starter for most users.

In September, engineers from authentication key-maker Yubikey built a developer kit that added third-party programming interfaces for WebAuthn. The effort was valiant, but it was also kludgey, so much so that the fledgling Brave browser was the only one to make use of it. Even worse, Apple’s steadfast resistance to opening up third-party access to NFC meant that the third-party support was limited to physical security keys that connected through the Lightning port or Bluetooth.

NFC connections and biometrics weren’t available. Worst of all, the support didn’t work with Google, Facebook, Twitter, and most other big sites.

iPhones and iPads finally get key-based protection against account takeovers

iPhones and iPads finally get key-based protection against account takeovers

For the past couple of years, iPhone and iPad users have been relegated to second-class citizenship when it comes to a cross-industry protocol that promises to bring effective multi-factor authentication to the masses. While Android, Windows, Mac, and Linux users had an easy way to use the fledgling standard when logging in to Google, GitHub, and dozens of other sites, the process on iPhones and iPads was either painful or non-existent.

Apple’s reticence wasn’t just bad for iPhone and iPad users looking for the most effective way to thwart the growing scourge of account takeovers. The hesitation was bad for everyone else, too. With one of the most important computing platforms giving the cold shoulder to WebAuthn, the fledgling standard had little chance of gaining critical mass.

And that was unfortunate. WebAuthn and its U2F predecessor are arguably the most effective protection against the growing rash of account takeovers. They require a person logging in with a password to also present a pre-enrolled fingerprint, facial scan, or physical security key. The setup makes most existing types of account takeovers impossible, since they typically rely solely on theft of a password.

Developed by the cross-industry FIDO alliance and adopted by the World Wide Web consortium in March, WebAuthn has no shortage of supporters. It has native support in Windows, Android, Chrome, Firefox, Opera, and Brave. Despite the support, WebAuthn has gained little more than niche status to date, in part because of the lack of support from the industry’s most important platform.

Now, the standard finally has the potential to blossom into the ubiquitous technology many have hoped it would become. That’s because of last week’s release of iOS and iPadOS 13.3, which provide native support for the standard for the first time.

More about that later. First, a timeline of WebAuthn and some background.

In the beginning

The handheld security keys at the heart of the U2F standard helped prepare the world for a new, superior form of MFA. When plugged into a USB slot or slid over an NFC reader, the security key transmitted “cryptographic assertions” that were unique to that key. Unlike the one-time passwords used by MFA authenticator apps, the assertions transmitted by these keys couldn’t be copied or phished or replayed.

U2F-based authentication was also more secure than one-time passwords because, unlike the authenticator apps running on phones, the security keys couldn’t be hacked. It was also more reliable since keys didn’t need to access an Internet connection. A two-year study of more than 50,000 Google employees a few years ago concluded that cryptographically based Security Keys beat out smartphones and most other forms of two-factor verification.

U2F, in turn, gave way to WebAuthn. The new standard still allows cryptographic keys that connect by USB or NFC. It also allows users to provide an additional factor of authentication using fingerprint readers or facial scanners built into smartphones, laptops, and other types of hardware the user already owns.

A plethora of app, OS, and site developers soon built WebAuthn into their authentication flows. The result: even when a password was exposed through user error or a database breach, accounts remained protected unless a hacker with the password passed the very high bar of also obtaining the key, fingerprint, or facial scan.

As Google, Microsoft, key maker Yubico, and other WebAuthn partners threw their support behind the new protocol, Apple remained firmly on the sidelines. The lack of support in macOS wasn’t ideal, but third-party support from the Chrome and Firefox browsers still gave users an easy way to use security keys. Apple’s inaction was much more problematic for iPhone and iPad users. Not only did the company provide no native support for the standard, it was also slow to allow access to near-field communication, a wireless communication channel that makes it easy for security keys to communicate with iPhones.

Poor usability and questionable security

Initially, the only way iPhones and iPads could use WebAuthn was with a Bluetooth-enabled dongle like Google’s Titan security key. It worked—technically—but it came with deal-breaking limitations. For one, it worked solely with Google properties. So much for a ubiquitous standard. Another dealbreaker—for most people, anyway—the installation of a special app and the process of pairing the keys to an iPhone or iPad was cumbersome at best.

Then in May, Google disclosed a vulnerability in the Bluetooth Titan. That vulnerability made it possible for nearby hackers to obtain the authentication signal as it was transmitted to an iPhone or other device. The resulting recall confirmed many security professionals’ belief that Bluetooth lacked the security needed for MFA and other sensitive functions. The difficulty of using Bluetooth-based dongles, combined with the perception that they were less secure, made them a non-starter for most users.

In September, engineers from authentication key-maker Yubikey built a developer kit that added third-party programming interfaces for WebAuthn. The effort was valiant, but it was also kludgey, so much so that the fledgling Brave browser was the only one to make use of it. Even worse, Apple’s steadfast resistance to opening up third-party access to NFC meant that the third-party support was limited to physical security keys that connected through the Lightning port or Bluetooth.

NFC connections and biometrics weren’t available. Worst of all, the support didn’t work with Google, Facebook, Twitter, and most other big sites.