Keeping the public sector cyber-secure

Niall McConachie at Yubico shares some advice for the new Labour government on how to maintain effective cyber-security throughout the public sector with passkeys

 

The newly elected Labour government has assumed office during a period in which the UK is facing an increasing array of cyber-threats. These cyber-attacks, ranging from distributed denial-of-service (DDoS) attacks to phishing, are being launched against a host of industries, with a growing number targeting the public sector and the institutions which operate within it.

 

For instance, Russian hackers accessed corporate emails and data on individuals from the Home Office earlier this year. Meanwhile, residents of Dumfries and Galloway in Scotland received letters informing them that their medical information may have been compromised by cyber-criminals who targeted the National Health Service (NHS) in a ransomware attack.

 

Although progress is certainly being made when it comes to boosting public sector cyber-resilience – as seen with the UK government introducing regulations to protect consumers against hacking and other cyber-attacks earlier this year – additional efforts are needed to attain genuine cyber-resilience and enhance defences against attacks. This is especially pertinent when it comes to phishing, given that more than nine out of ten cyber-attacks start off with phishing.

 

This necessitates the new government doing its utmost to guarantee that all public sector enterprises possess the resilience and sufficient protection against cyber-threats.

 

The role of passkeys

To date, many businesses are overly reliant on the use of outdated authentication methods like passwords which are easy to steal via phishing attacks. In fact, over 80 per cent of breaches involve the use of weak or stolen passwords.

 

Although multifactor authentication (MFA) is essential to secure your sensitive information, not all MFA is created equal. Any MFA method that can be shared or intercepted via a hacker, such as one-time passwords (OTPs), will always face danger in the form of sophisticated phishing attacks. To add to this, authentication methods using facial or voice recognition are easily spoofed by artificial intelligence (AI).

 

Passkeys, an increasingly popular form of modern authentication, represent a far more secure alternative to passwords, supporting a transition to passwordless authentication. Passkeys seamlessly authenticate users by using cryptographic security “keys” stored on their computer or device. 

 

As an inherently phishing-resistant solution, device-bound passkeys, which can be stored on hardware security keys, are used to log into applications and services in a swift and secure manner, enhancing efficiency and online safety. For instance, device-bound passkeys necessitate both proof of possession and the presence of the user to login, preventing them from being intercepted or stolen by remote threat actors.

 

What’s more, cyber-criminals cannot copy the passkeys stored on hardware devices, and authentication is only feasible on verified sites or apps, meaning account credentials are not issued to hostile websites under any circumstances, even if the user is deceived. 

 

Another benefit of device-bound passkeys is that they do not require an internet connection or a battery, enabling them to provide reliable authentication in settings where users have limited access to mobile devices.

 

By using passkeys to protect the accounts of public sector professionals, users and organisations can boost their security even in the event of an individual being tricked by an advanced phishing attack.

 

Establishing phishing-resistant users

In order to ensure the highest level of security and mitigate phishing attacks in their entirety, public sector organisations must implement measures beyond merely investing in phishing-resistant authentication – they must prioritise developing phishing-resistant users.

 

With well over half of data breaches succeeding due to a human element, such as falling victim to a social engineering attack or making an error in judgement, developing phishing-resistant users is now timelier than ever.

 

The inception of phishing-resistant users is not just a reactive measure to the ever-growing threat posed by phishing – it’s a proactive, organisation-level strategy designed to remove the risk of phishing by removing all potential phishing incidents from the user lifecycle.

 

Previously, the principal security control among organisations has been to prevent phishing at the time of authentication. However, the roll out of new phishing-resistant authentication has resulted in user accounts entering a hybrid state with access to both phishable and phishing-resistant credential types. The process for issuing credentials therefore needs to be elevated to achieve the same standard as the authentication controls previously in place.

 

To ensure point-in-time authentication policies are effective, for instance during a login attempt, organisations must provide users with the right type of authenticators, credentials, and processes for each phase of the account lifecycle.

 

Given that users frequently switch between platforms and devices, as well as across personal and corporate apps and services, conventional authentication techniques are fundamentally phishable.

 

What’s more, in circumstances such as when a user is being onboarded or when their device is lost or stolen, organisations tend to temporarily default to phishable user registration, producing convenient points in time for a phishing attack to take place. This gradual approach to authentication highlights the difficulties organisations face in reliably protecting their systems and data, in addition to maintaining compliance.

 

To entirely remove phishing from their threat landscape and ensure employees are adequately protected, organisations must guarantee that every user and process is phishing-resistant. Ensuring phishing resistance in the processes of registration, authentication, and recovery is essential for developing phishing-resistant users.

 

To achieve this, all enterprises must equip employees with phishing-resistant MFA and utilise passkeys on portable, purpose-built hardware security devices as the primary authenticator. From this, organisations ought to establish phishing-resistant account registration and user recovery procedures, deploying passkeys which serve as the basis for the highest-assurance security.

 

Lastly, public sector organisations should implement technology-driven solutions that reduce reliance on user education, while at the same time providing vital education on the core principles and benefits of phishing-resistant MFA and good cyber-hygiene.

 

Ultimately, organisation-wide cyber-security and the tactics needed to thwart emerging attacks should be a top priority for the public sector. While progress is undoubtedly being made in the enhancement of cyber-resilience, additional efforts are required to reduce disparity between the risks of cyber-attacks and the attitudes displayed by the UK public sector towards preventing them.

 

The cornerstone of building such resilience lies in fostering a culture of phishing-resistant users, with passkeys as the indispensable starting and ending point.

 

---

 

Niall McConachie is regional director (UK & Ireland) at Yubico

 

Main image courtesy of iStockPhoto.com and Vlad Yushinov