Jasson Casey, CTO at Beyond Identity, evaluates human misconceptions in the cybersecurity industry and explains why we should embrace trust in modern technologies.
Human misconceptions include the innate tendency to hold onto what is familiar to us, resist change, and develop misplaced confidence in what makes us feel safe.
How often must we be told that flying is safer than cars? Why do most of us feel safest in our homes when the stats stack up to prove otherwise? Some research even suggests that the number of medically consulted injuries occurring in the home is greater than the total number of medically consulted injuries that occur in public places, the workplace, and motor crashes combined.
The same can be said for technology. We caution the new and cling to the familiar. Human misconceptions mean that new innovations sometimes take months or even years to be welcomed with open arms. However, we often can’t remember our lives without them once they are.
Take Edison’s commercialisation of the lightbulb, for example – now a ubiquitous piece of technology but one that took over 40 years to be accepted by the masses. Not long ago, conventional wisdom insisted that the public cloud should not be trusted for critical data and applications. It was an understandable reaction, but now, inevitably, instead of risking operations to the cloud, we often send them to the cloud for greater security.
The same unconventional logic is being applied today when it comes to passwords. With the ever-increasing volume of cyber threats, it’s becoming clear that the traditional reliance on password-based security is now more of a hindrance than a help in the fight against cybercrime.
Despite the obvious vulnerabilities and rising user frustrations associated with passwords, many organisations rely on them as a core component of their security strategy. But it is only a matter of time before we eliminate passwords and embrace a more secure alternative… surely?
Misplaced confidence in passwords
Recent research has revealed that human misconceptions are rife regarding passwords – most cloud professionals continue to place an undue amount of confidence in the use and security of passwords.
Moreover, an overwhelming 83% of them expressed confidence in the security effectiveness of passwords, with over a third declaring their confidence as ‘very high’.
However, these figures sit uncomfortably alongside the grim reality that 80% of all breaches result from compromised identities, predominantly due to the use of passwords. Today, hackers don’t break in – they log in by reusing stolen credentials.
The repetitive and demanding routine of password management also seriously impacts security. Many cloud professionals manage multiple passwords daily, while organisations continue to insist on frequent password changes with the result that password security becomes a chore rather than an even less effective line of defence.
Specifically, over half of the respondents (60%) said they find it frustrating to remember multiple passwords, 52% by regularly changing their passwords. In comparison, another 52% are frustrated by the requirement to choose long passwords containing numbers and symbols.
Passwords attract threat actors
Adding to the complexity, passwords have proven to be an attractive target for threat actors. Phishing attacks remain common, with many respondents admitting to having flagged or accidentally clicked on phishing emails. Contrary to human misconceptions, reliance on passwords may inadvertently expose organisations to cyber-attacks, further compromising their security.
When asked if they’ve ever received a phishing email which they’ve flagged to their security team, over a third of cloud professionals claimed they’d flagged between one and three, 18% flagged four to six, and nearly a quarter (23%) flagged seven or more.
More worryingly, 11% have received but not flagged a phishing email, and one-fifth (20%) of respondents simply aren’t sure if they’ve ever accidentally clicked on a phishing link. Nearly one-fifth (19%) said colleagues have clicked on a phishing email, and over a quarter admit to doing it themselves – 11% say they’ve done it more than once, and 5% said they do it regularly.
Evolving passwordless authentication: Can it overcome human misconceptions?
This familiar sense of user frustration and human misconceptions about password-based authentication creates a precarious situation for organisations relying on passwords to protect their data and customer accounts.
A further cause for concern is that despite the frustrations and vulnerabilities associated with password-based security, 74% of cloud professionals still believe in the efficacy of regular password changes as a cybersecurity practice.
While the popularity of Multi-Factor Authentication (MFA) as an added layer of security is a positive trend, there has been an alarming increase in successful MFA bypass attacks, as seen in high-profile cases for the likes of Coinbase, Twilio, Reddit, Uber, and most recently, MGM Casinos.
Part of the challenge with human misconceptions is that the threats organisations face have grown considerably since passwords were first introduced more than half a century ago. In today’s cybersecurity context, organisations focused on addressing the risks that passwords create should begin shifting their focus towards next-generation ‘phishing-resistant’ MFA to provide a more robust defence against cyber threats.
Recognising the vulnerability posed by passwords, the Fast Identity Online (FIDO) Alliance has developed standards to guide the transition towards more secure, passwordless authentication systems. Adopting such solutions is now recommended at the highest levels of government.
Increasingly, organisations are beginning to understand the growing urgency to move away from legacy password systems and weak MFA to focus on authentication designed to accelerate the journey to zero trust security paradigms — continuous authentication that eliminates all shared secrets (passwords, codes, links, etc.) criminals harvest to plant ransomware crops.
This approach is beneficial for security and enhances the user experience by eliminating the frustrating aspects of password management – a win-win for every stakeholder committed to maximising cybersecurity.
Modern, secure authentication is at our fingertips. However, while people continue clinging to the familiar by using passwords, they practically leave the welcome mat out for attackers.
Moreover, just like more medical injuries happen in the safety of our homes, more cyber-attacks occur because human misconceptions about cybersecurity lead to reliance on passwords. It’s time to embrace the new and shut the front door once and for all.