Cybersecurity threats are becoming an increasingly serious problem for businesses of all sizes. Hackers are not slowing down, coming up with new attacks and successfully exploiting “old classics.” What do you need to know to win in this duel?

Cyberattacks can cause significant damage to a company’s reputation, lead to data and financial losses, and also cause disruptions to operations. For example, according to the Identity Theft Resource Center 2022 Data Breach Report, in 2023, hackers carried out 2,365 attacks, affecting 343,338,964 people.

Even large corporations are not immune to incidents. In 2023, the company X (ex-Twitter) became the target of criminals who managed to steal over 220 million user email addresses. Meanwhile, the average global cost of a data breach in 2023 was $4.45 million, 15% more than 3 years ago.

As we can see, the role of cybersecurity in preserving the wealth of a company is very significant. Therefore, the international True Value Added IT distributor BAKOTECH asked four experts how businesses can effectively protect their infrastructure and reduce the risk of serious losses.

 

 

In light of today’s rapid pace of cybercrime, the problem with passwords is not how complex they are, but that they exist at all. Phishing attacks have always been one of the main techniques that hackers use to crack accounts, and they do it quite successfully.

According to the Verizon Data Breach Investigation Report 2023, in nearly half (49%) of cases, cybercriminals gained access to information by cracking passwords.

Some companies use password managers – separate software that generates and securely stores passwords, as well as warns about fraudulent sites and malicious software. However, such software does not protect against phishing, when data is intercepted in real time.

In addition, password managers themselves can become targets for hackers. For example, one of the most popular services, LastPass, has suffered data breaches at least three times: in 2015, 2021, and 2022. During the last breach alone, hackers stole data of over 25 million users.

The biggest security gap is usually the human factor, so most attacks are carried out thanks to the victim’s negligence. One phone call from the “security service” asking to confirm the code that you got to the phone – and your account is no longer yours.

So, the conclusion is: an unbreakable password is one that doesn’t exist. However, if you are forced to use outdated services that do not provide the ability to opt out of passwords, a good practice is to use complex passwords that are easy to remember – for example, the names of books or movies.

Modern requirements for secure user authentication include the following factors:

• Possession of an end device or security key
• Verification of the user’s presence at the time of login
• User verification via secret code verification or user biometrics

 

Are there any alternatives?

 

Passwordless authentication is a secure and convenient alternative to traditional passwords that is gaining popularity among businesses and organizations. According to a 2023 survey, over 71% of IT professionals aged 30 and under preferred passwordless authentication.

FIDO2/WebAuthn is currently considered the “gold standard” for passwordless authentication. It works based on cryptography, involving the exchange of public keys and secure storage of private keys. This makes authentication resistant to phishing and other password-based attacks.

The FIDO2/WebAuthn standard is supported by operating systems Windows, macOS, Linux, Android, iOS, and many browsers such as Chrome, Safari, Firefox, and Microsoft Edge. Hardware security keys, such as Hideez Key, are already certified according to this standard and have the ability to connect via Bluetooth, NFC, and USB, which significantly expands their usability.

In 2023, Passkeys, the latest implementation of the standard for ordinary users was released. It allows you to register your phone, tablet, or computer as your security key and use the built-in biometric sensor for authentication in various web services and applications.

According to surveys, over 70% of users find this method more convenient than one-time codes, voice messages, and other traditional two-factor authentication methods. And most importantly, it protects you from phishing attacks and completely eliminates passwords.

 

How to set a passwordless authentication

 

• Make sure you understand how all employees are currently logging in. Is this authentication different depending on where they are? What devices and operating systems are they using?
• Prepare your infrastructure for passwordless authentication. At the same time, it is advisable to implement a service that can realize Single-Sign-On to web services and applications.
• Configure different passwordless authentication options. Depending on the usage scenarios for different groups of users, you can determine the most convenient option for yourself:
  – Passkey – your phone, tablet, or PC as your security key;
  – Mobile application on your phone;
  – Hardware security key with or without a built-in biometric sensor.

 

 

Passwords have been the primary method of protecting systems since the 1960s, when MIT professor Fernando Corbató introduced them in the Compatible Time-Sharing System (CTSS). Since then, passwords have been a cornerstone of digital security, acting as gatekeepers for personal and work data. However, in an era where cybersecurity threats are becoming increasingly sophisticated, relying solely on passwords is no longer enough.

Today, there are numerous attack paths into infrastructure. Generally speaking, business infrastructure is like a medieval city with many different roads leading into it. To prevent bandits from entering the city, there must be guards at each entrance.

In our case, the guards are the implementation of a multi-layered cybersecurity strategy that encompasses account protection, access privilege management, continuous monitoring, user rights configuration, and secure remote access.

 

Solutions and methods for a comprehensive protection

 

Modern businesses need a more comprehensive approach to protecting their digital assets that takes into account not only IT administrators but also each user group.

Let’s consider each group separately.

A seamless experience for employees: Single sign-on (SSO), multi-factor authentication (MFA), and other features provide secure access without compromising productivity.

Fine-grained control for IT administrators: Privileged Access Management (PAM) allows you to assign specific roles and permissions, ensuring that users only have access to the resources they need to perform their tasks. This reduces risk without sacrificing efficiency.

Cloud Architect: Architects need solutions that integrate with cloud infrastructure to ensure consistent security across all platforms. Therefore, the solution should support cloud applications and hybrid environments, allowing architects to manage and secure cloud resources without impacting performance.

Protecting programmatic accounts: In addition to managing people’s access, organizations must also protect technical accounts such as tokens, API keys, and others. This will allow administrators to centralize control, automate the rotation of secrets, and control access, ensuring the security of automated processes and machine-to-machine communication.

 

Advantages of implementing an identity and access management (IAM) system

 

The smart account protection platform ensures secure access with minimal privileges, threat detection, and real-time response. Here are some of its benefits:

• Reduced risk of insider threats by restricting access to sensitive information
• Strict access control to local and cloud-based applications, services, and IT infrastructure
• Reducing the potential impact of hacking
• Increase accountability with detailed logging and audit logs
• Optimization of workflows
• Reduced workload for IT teams
• Maintaining a high level of security

 

 

A cybersecurity culture is a system of values, norms, and behaviors that prioritizes data protection from cyber threats at all levels of the organization. Employees become the first line of defense against attacks such as phishing and social engineering, which are becoming increasingly prevalent.

Establishing a cybersecurity culture within an organization starts with strong leadership support. Leaders set the tone and demonstrate the importance of cybersecurity, motivating all employees to take responsibility for protecting the organization’s data assets.

Effective cybersecurity awareness training should encompass two main approaches:

• Ongoing Training which keeps employees updated on the latest cyber threats, tactics, and techniques used by attackers
• New Employee Onboarding which should be included in the onboarding process for new employees. This ensures that they understand the organization’s cybersecurity policies, procedures, and best practices from the start

Effectiveness is measured by participation in training, phishing simulations, and quizzes.

To be effective, cyber awareness program managers should use tools such as the Security Awareness Index and analytics to personalize the experience to meet the needs of each learner.

A cybersecurity program should include:

• Newsletters with information about new cyber threats and cybersecurity tips
• Phishing simulation exercises
• Conducting short training modules
• Work gamification

Programs should be updated at least quarterly.

However, training alone is not enough to prevent the most common threats. To build effective protection against typical and targeted phishing attacks, a combination of training and phishing simulations is needed.

Cyber awareness shapes more responsible behavior of users, who begin to react more quickly to atypical activity, seek help from security experts when they notice something unusual, and take care of data protection.

 

How a training program affects employee motivation

 

Thanks to the training, users:

• Are not afraid to ask questions when they are unsure of what to do: for example, how to send a confidential document by email
• Report atypical activity, such as finding a document with sensitive data on an open file sharing service
• Are not afraid to call security professionals when they have done something wrong – for example, informing security after entering a password by mistake on a phishing website
• Help when they notice unsafe behavior – for example, when a confidential document is left on a printer or an unlocked workstation is left unattended

 

What a company gets if it implements regular trainings:

 

• Reduced risks, number of incidents and associated costs, and reputational damage
• Saving time and money
• Increased productivity, as organizations and their employees remain efficient and productive
• Compliance with internal policies, regulatory and industry standards
• Compliance with contractual agreements and cyber insurance requirements
• Empowering and growing employees

 

 

In my opinion, DLP, CASB, and Zero Trust remain the most important data protection trends. They consistently help companies build reliable protection against confidential information leaks.

Let’s take a closer look at each of them.

 

DLP

 

Data Loss Prevention (DLP) is the prevention of confidential data leaks (intentional or accidental) by analyzing the flow of information that goes beyond the organization’s perimeter.

DLP must be applied both in transit (i.e., when data is being uploaded from the corporate environment) and at rest (when employees store corporate data in an unprotected form in SaaS applications such as Salesforce, Google Drive, M365, and others).

Optical Recognition for DLP is also one of the key features that allows you to scan images for sensitive data.

 

CASB

 

CASB (Cloud Access Security Broker) is a system that acts as an intermediary between users and cloud resources, providing access control, activity monitoring, and compliance with regulatory requirements. CASB integrates with the company’s SaaS applications and scans application data for open confidential information.

For example, a PDF document in the public domain without a password in the corporate Google Drive, a document shared publicly in Salesforce, etc. are in the security broker’s area of interest.

Integration of DLP and CASB helps prevent corporate data leakage at rest.

 

Zero Trust

 

The Zero Trust method (or “trust no one, verify everyone”) is based on the principle of no trust by default. Each request for resources must be authenticated, regardless of where it comes from: the corporate network, a remote employee, a cafe or airport. All requests are visible and logged, which will facilitate the investigation of incidents if they occur.

The main goal of Zero Trust as a security model is to reduce the attack surface of an organization. Users get access only to the resources they need to perform their job duties. In addition, Zero Trust minimizes the damage in the event of an attack by limiting the breach to one small area through micro-segmentation, which also reduces the cost of recovery.

Zero Trust minimizes the impact of user credential theft and phishing attacks by requiring multiple authentication factors. This helps eliminate threats that bypass traditional perimeter defenses. Similarly, by verifying every request, Zero Trust security mitigates the risk posed by vulnerable devices, including IoT devices, which are often difficult to secure and update.

By setting up the Zero Trust method, the information security team ensures the protection of all company resources: self-hosted applications, SaaS, private networks, employee devices and data on them, and others.