As Phishing Threats Rise, Geoff Schomburgk From Yubico Discusses Strengthening the Human Element of Security

The Verizon Data Breach Investigations Report reveals a concerning trend; cybercriminals are increasingly targeting financial gain, with nearly one-third of all breaches in the past year involving ransomware, phishing or other extortion tactics. This shift indicates that attackers are becoming more strategic and aggressive, focusing on high-reward opportunities where they can exploit vulnerabilities to extract maximum value, leaving organisations not only with compromised data but also significant financial and operational consequences.

The report also highlights that up to 68% of breaches involved a “human element,” such as individuals falling victim to social engineering attacks or making unintentional mistakes. This does not take into account incidents involving malicious insiders or privilege misuse, underlining that humans remain the weakest link in cybersecurity.

You might think that with advancements in technology and increased awareness, cybercriminals would struggle to deceive people through phishing. However, Geoff Schomburgk, Vice President of Asia Pacific & Japan at Yubico, believes otherwise. In a recent interview, he explained, “Phishing continues to be attractive to cyber attackers because personal information and credentials are valuable, and they prefer stealing credentials over hacking because it’s a lot easier and more profitable.”

Moreover, the rise of Artificial Intelligence (AI) has elevated phishing attacks to a new level, with convincing AI-generated text messages, voicemails, and even deepfake videos. This makes it increasingly difficult for individuals—especially those who are less tech-savvy or more gullible—to discern whether what they’re encountering is legitimate or not.

Thus, Geoff suggested that organisations and businesses alike prioritise addressing the human element of security by creating a strategy centred on “phishing-resistant users” as the first line of defence against phishing and other similar cyber attacks.

Creating Phishing-Resistant Users: Is It Achievable?

According to the Vice President of Asia Pacific & Japan at Yubico, the concept of a phishing-resistant user goes beyond merely adopting phishing-resistant authentication tools. “Phishing-resistant users are those who employ phishing-resistant technology in all aspects of their digital lives,” he explains. This encompasses their roles as employees, citizens accessing online services, and/or consumers engaging in e-commerce.

Phishing-resistant users are equipped with tools and knowledge that enable them to identify and avoid phishing attempts, thereby reducing their susceptibility to such attacks. The key distinction between a phishing-resistant user and one who merely uses phishing-resistant tools lies in the comprehensive adoption of these tools across various facets of their digital interactions.

So how can organisations get started? This can be a problem, especially for Small and Medium-sized Businesses (SMBs), as creating a phishing-resistant user base involves quite a tedious and multifaceted approach. To help streamline the process and reduce the burden, Geoff outlined a few key steps for organisations looking to kickstart their “phishing-resistant user” initiatives:

1. Education and Training

Regular training sessions and awareness programs are crucial according to Geoff. Employees must understand the nature of phishing attacks, how to recognise them, and the importance of using phishing-resistant technologies. This sort of education and training process should be ongoing, as we all know, new threats spurt every second and the need to adapt to them while being able to incorporate and understand the use of the latest cybersecurity practices and tools to thwart these threats is vital.

Geoff highlighted that training programs should cover the following areas:

• Recognising Phishing Attempts: Employees should be trained to identify common phishing tactics, such as suspicious email addresses, unexpected attachments, and urgent language designed to provoke a quick response.
• Reporting Mechanisms: Organisations should establish clear protocols for reporting suspected phishing attempts. Employees should know whom to contact and what steps to take if they receive a suspicious message.
• Simulated Phishing Exercises: Conducting regular phishing simulations can help reinforce training and identify employees who may need additional support.

2. Gradual Implementation

Transitioning to phishing-resistant authentication methods should be done gradually. For instance, a financial institution may start with implementing Multi-Factor Authentication (MFA) before moving towards a much more complicated and of course more secure option such as passwordless authentication. This phased approach allows employees to adapt to new technologies and practices incrementally, reducing resistance and increasing compliance.

3. Integration with Daily Operations

Phishing-resistant tools and practices should be seamlessly integrated into the daily operations of employees. This can be achieved through consistent use and reinforcement of best practices. Organisations can:

• Incorporate Phishing-Resistant Authentication in All Applications: Ensure that all systems, including email, internal platforms, and third-party services, use phishing-resistant authentication methods.
• Automate Security Measures: Automate security updates and patches to minimise the risk of vulnerabilities being exploited.

Technology’s Role in Human-Centric Defence

Organisations that want to combat entirely human-centric vulnerabilities must take it up a notch. Geoff recommended that these organisations should fully leverage Fast Identity Online (FIDO) – created by FIDO Alliance, which provides a set of security specifications that are independent of specific technologies to ensure strong authentication.

Phishing-resistant protocols like FIDO incorporate user intent, requiring a deliberate action (e.g., a touch or biometric verification) to complete authentication. This ensures that even if a bad actor has the credentials, they cannot access the account without the physical key or biometric data.

Another way that you can use in order to wipe-out any concerns regarding human-centric vulnerabilities is through the use of passkeys.

Passkeys, according to Geoff, are phishing-resistant and offer several advantages over traditional, easy-to-hack-and-forget passwords, including enhanced security and ease of use. Geoff also believes that passkeys are the way to go and are poised to revolutionise how we use authentication by enabling passwordless access across multiple platforms.

This technology is being rapidly adopted by governments and businesses globally, with entities like the Australian government implementing passkeys for accessing online services.

Passkeys offer numerous benefits for end users, including:

• Enhanced Security: Passkeys are resistant to phishing attacks because they cannot be easily shared or stolen. Each passkey is unique to the user and device, providing a higher level of security than traditional passwords.
• Convenience: Users no longer need to remember complex passwords or change them regularly. Passkeys simplify the authentication process, making it quicker and easier to access accounts.
• Cross-Platform Compatibility: Passkeys can be used across multiple devices and platforms, providing a seamless user experience. This compatibility is particularly beneficial for users who frequently switch between different devices.

The stakes in the digital age have never been higher. Cybercriminals, armed with sophisticated tools, relentlessly target the weakest link: Humans. While technology is essential, it’s the human element that often determines an organisation’s fate.

By transforming employees into a formidable human firewall, organisations can not only repel attacks but also gain a competitive edge. Investing in phishing resistance isn’t just about security; it’s about safeguarding reputation, trust, and the bottom line.

The future of cybersecurity demands a holistic approach. It’s time to prioritise human-centric security and build a fortress against the digital onslaught.