Niall McConachie, Regional Director (UK & Ireland) at Yubico
In 2023, the financial sector surpassed healthcare as both the most breached and most attacked industry. Although it might seem that threat actors are quick to find new points of attack to take organisations down, the reality is that overused tactics such as phishing are extremely successful, with 80 percent of all cyber attacks occurring as a result of stolen login credentials.
Furthermore, 74 percent of attacks today succeed due to a human element, such as falling victim to a social engineering attack or making an error in judgement. These attacks are largely successful thanks to the use of stolen credentials, privilege misuse and phishing. According to StationX, individuals working in the finance sector are the second most likely to open a phishing email.
An easy target for cybercriminals
The emergence of generative AI (GenAI) will only accelerate existing growing cyber crime trends. While GenAI can help companies across all industries automate their processes and make work life easier, bad actors can also use the technology to their benefit by creating customised and realistic-looking phishing emails at a huge scale.
For this reason, it is essential that organisations work to better equip and protect their employees from falling victim to phishing attacks and other social engineering methods.
In the case of shared workstations – in which multiple individuals access their account on the same device, such as a shared PC – major security weaknesses emerge, especially in cases where login details are shared between users. Employees working for financial institutions utilizing shared workstations are at greater risk than most, due to the sensitivity of the data held by their company. It is therefore essential that the highest form of security is implemented throughout these firms, whether their employees are remote, hybrid or in the office.
Improving security measures for all users
Most financial organisations protect employees’ accounts using traditional security measures such as phishable multi-factor authentication (MFA) methods, like SMS notifications and one-time passcodes. For many financial institutions, the primary security control has traditionally been to prevent phishing at the time of authentication. Yet this method is wholly insufficient against modern, sophisticated phishing tactics.
Instead, organisations must focus on equipping their users with authentication that offers phishing resistance no matter which business scenario they are engaged in or which platforms and devices they are using – especially when these devices are shared.
Keeping employees safe
Organisations should develop an authentication strategy that offers phishing resistance regardless of where a user is located or what their role entails. To truly prevent phishing attacks, organisations must do more than simply invest in phishing-resistant authentication: they must focus on developing phishing-resistant users to achieve the highest level of protection.
A key component of creating phishing-resistant users is equipping all employees with phishing-resistant MFA. For example, financial institutions can use portable hardware security keys as the foundation for achieving the highest level of security, ensuring both data and livelihood are protected.
Hardware security keys store passkeys, which are used to log into business apps and services quickly and securely. The passkeys in these security keys cannot be copied as they are unique to the keyholder, with authentication only possible on verified sites, ensuring account credentials are never provided to malicious websites. By using hardware security keys to protect business accounts, employees and organisations can remain secure, even if a sophisticated phishing attack tricks users.
In addition to using hardware security keys, organisations must properly educate staff to become phishing-resistant users and establish phishing-resistant account registration and user recovery procedures for all.
Introducing hardware security keys for employee authentication along with creating phishing-resistant users ensures that workers using shared workstations are safe from phishing attacks, in turn protecting the data and integrity of the financial institution they work for. This removes reliance on passwords and allows users to seamlessly and securely access their digital accounts, no matter where they are located.