IT Brief New Zealand - Technology news for CIOs & IT decision-makers

Exclusive: Why creating phishing-resistant users is key to cybersecurity

Thu, 4th Jul 2024

In the world of cybersecurity advances, Geoff Schomburgk, the Regional Vice President for Asia Pacific and Japan at Yubico, is at the forefront of promoting robust and user-friendly multi-factor authentication solutions.

Yubico, a leading authentication company, aims to make secure logins accessible for everyone. In an exclusive interview, Schomburgk delves into the nuances of phishing-resistant users and the strategies behind fostering a more secure digital environment.

Phishing-resistant authentication is gaining traction as a critical component of cybersecurity. "Phishing is a scourge," Schomburgk explained to TechDay. "Over 80% of data breaches are a result of compromised credentials. These credentials are most commonly compromised through phishing attacks." 

He added that phishing-resistant users employ advanced technology to safeguard their digital lives, whether they are employees securing their organisations or consumers protecting their online accounts.

A significant part of this strategy, according to Schomburgk, revolves around education. "People need to know that there are solutions out there," he said, pointing out recent efforts by organisations like Telstra and myGov in Australia to make this technology accessible. By starting with simple steps, such as securing a Facebook or Telstra account, users can gradually build momentum and confidence.

"When my organisation tells me, 'I'm going to implement this,' I think, 'Oh yeah, I get that. I'm on board.'"

Schomburgk likened the process of building phishing-resistant users to any other change programme. It requires clear communication, highlighting the benefits of the change—namely, security and convenience. "Wouldn't it be fantastic if we never had to use a password again?" he said. With over 100 different accounts, managing passwords is a cumbersome task. Eliminating passwords can significantly enhance both security and user convenience.

Finding champions within an organisation is another critical aspect. "Identify your champions, your stakeholders," Schomburgk said. "It can come from the top down, but often it's from the bottom up. Someone who's embraced it can encourage others by saying, 'Hey, this is really good. You should try it too.'"

Reflecting on his tenure at Yubico, Schomburgk noted the significant changes in the industry.

"I've been with Yubico for four and a half years, joining pre-COVID in 2020. The technology has been around for a while, but it's starting to gain momentum, which is really exciting."

Despite the widespread adoption of multi-factor authentication (MFA), phishing remains a formidable challenge. Schomburgk attributes this to the evolving tactics of cybercriminals who now exploit the human element. The rise of phishing-as-a-service has made these attacks more prevalent and sophisticated.

"Phishing is simply a numbers game," he explained. "It just takes one person to click that link and fall for the scam. We have to be smarter and adopt a zero-trust philosophy to stop breaches before they happen."

Zero trust, he said, requires validating identity at every access point. "Identity is the new perimeter," Schomburgk explained. "Your identity must be as strong as possible, especially in a world where we can work from anywhere."

Modern authentication strategies must focus on ease of use to combat human vulnerabilities. "Users shouldn't have to worry about how the cryptography works; it should just work," he emphasised. By leveraging familiar technologies, such as credit cards and biometric authentication, Yubico aims to make the transition seamless.

"The YubiKey, for instance, uses a pin to unlock, similar to a credit card. Having multiple credentials ensures that if one is lost, another can be used, just like having a spare car key."

Discussing costs, Schomburgk acknowledged that while there is an expense associated with phishing-resistant authentication, it pales in comparison to the cost of a data breach. "Our products start from around 25 US dollars. For larger enterprises, we offer subscription models that can make adoption more attractive."

He highlighted the emergence of alternatives, such as passkeys and passwordless authentication options from major tech companies like Microsoft, Apple, and Google.

Schomburgk believes that recent high-profile data breaches have significantly raised public awareness. "Major breaches like those at Optus and Medibank have brought the issue into public consciousness in Australia. People are realising the importance of securing their credentials."

He credits regulatory bodies, such as the Australian Signals Directorate, for progressively upgrading their advice, pushing organisations towards stronger authentication measures.

Phishing-resistant methods, like those advocated by Yubico, are gaining momentum globally. Governments and businesses are adopting these technologies at a rapid pace, driven by the need to protect sensitive information and national security. "The shift away from passwords to more secure, easy-to-use authentication methods is becoming essential," Schomburgk observed. "It's not just about security; it's about making life easier for users."

Schomburgk emphasised the importance of user adoption.

"Encouraging adoption requires showing people how easy and effective these methods are. When they see the benefits, they're more likely to embrace them." He recounts his experience of turning off passwords in his myGov account, sparking interest among his peers.

"Everyone wants an alternative to passwords. Now that we're seeing it, it's time to embrace it."

Yubico's commitment to making strong, secure authentication accessible at a global scale is evident. "We founded the FIDO Alliance with the goal of making secure, easy-to-use authentication available to everyone. When you get that sort of intellectual horsepower coming together, of course, it's going to be a success," Schomburgk added.

With the collaborative efforts of industry leaders and the growing public awareness of cybersecurity threats, the move towards phishing-resistant authentication is not just a trend but a necessary evolution in the digital age.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X