One of the most common ways that cyber criminals can break networks (and home users, of course) is through phishing. This is the practice of sending out emails that appear to be from a contact or reputable company that dupe you into clicking on a link or hostile attachment.
Clicking on the link will take you to a website that appears to be the one for the reputable company purportedly sending the email (often banks, for instance) and the site will attempt to dupe you into revealing your password.
It’s a common scam that most people will have seen, but it is surprisingly effective (otherwise, cyber criminals wouldn’t bother doing it, right?). Security specialist Dashlane reported earlier this year on the scale of the problem. They found that:
• phishing attempts have grown 65% in the past year
• some 76% of businesses reported being a victim of a phishing attack in the same period
• 30% of phishing messages are opened by users and 12% of those users click on the malicious attachment or link
For an organisation, the problem is that even if 99% of users are smart enough to spot a phishing scam, it only takes one unlucky person – on a bad day, with their mind on something else – to compromise security.
Yet tech giant Google reports that none of its 85,000 employees have suffered an account takeover due to phishing for more than a year.
Before you assume that it is because Google has installed hugely expensive security systems, the answer is far simpler. It’s thanks to a simple product called a security key – available for as little as £15 – that Google now requires all employees to use before logging on to the network.
“We have had no reported or confirmed account takeovers since implementing security keys at Google,” Google said.
Influential security journalist Brian Krebs reported in early 2017 that Google had started to implement the new policy, so some 18 months later, the fact that not one breach has occurred is impressive.
Two-factor authentication (2FA) – which, incidentally, all companies should be doing as best practice – means that when an employee logs on with user name and password, he or she will be asked to input a second code that is delivered via another device, for instance, via a text message or app on their phone.
Google added a third step, that of a security key. After following the two steps detailed above, an employee must plug their security key into a USB port on their computer, then press a button.
Thus, even if a determined phisher was able to retrieve an employee’s user name and password, they cannot take over the account without having the physical security key.
For a tech giant to have ensured such an impregnable defence at a cost of around £15 per employee is remarkable tribute to the gadget’s efficacy.
Adding cyber security training to such helpful products can ensure that your organisation stays one step ahead of the cyber criminals.