The unfolding crisis of the COVID-19 pandemic has fueled an increase in cybercrime globally. Individuals and organizations are extremely vulnerable during this crisis as millions of users and organizations across the world are more than ever dependent on computer systems, mobile devices and the Internet to work, communicate, shop, share and receive information and otherwise mitigate the impact of social distancing.
There is ample evidence over the last couple of months that cybercrime actors are exploiting to these vulnerabilities to their own advantage. Some examples:
- Phishing attacks increased by 667% in March compared to January of this year via seemingly genuine websites or documents providing information or advice on COVID-19 are used to infect computers and extract user credentials
- Compromised username and passwords (approximately 25,000 records) from World Health Organization, U.S. Centers of Disease Control and Prevention (CDC), the World Bank, National Institutes of Health, and other notable groups were used to spread COVID-19 misinformation online
- Username and passwords for more than 500,000 Zoom (a video conference tool used by users and organizations) users was posted on the dark web for sale
- Ransomware operators demanded 33% more from their victims in Q1 2020 than the previous quarter with a 49% spike in attacks over baseline levels
- With an increase of remote workforce by 70% in April to February (as reported by Carbon Black), the cyber criminals are obtaining access to the systems of companies or other organizations by targeting these remote workers
- Canadians and Americans report ~13.2 million in COVID-19 related fraud losses and this number is increasing as more users are victimized by cyber criminals
A common theme arising from the above examples puts us humans as the ‘weakest link in the security, chain’. However, blaming users will not lead to more effective security systems nor will it stop the cyber criminals in exploiting the users and their behaviours. Organizations and service providers need to identify and address the causes of undesirable user behaviour with passwords typically caused by failure to recognise the characteristics of human memory, unattainable or conflicting task demands, and lack of support, training and motivation for creating stronger passwords.
Organizations and service providers need to adopt and provide secure, simple passwordless experiences to users. Enabling a passwordless solution that can accurately verify a user’s identity without the use of passwords, SMS, and OTPs vastly improves security by reducing the overall attack surface and eliminating compromised credential risk.
With the current COVID-19 crisis of increased remote workers and increased online shopping by users, organizations and service providers need to prioritize solutions that can easily integrate with a broad range of systems and support for use cases to reduce organizational risk. The aim is to shift away from a 60-year old credential-based (username and password) solutions to a modern authentication platform from the more exposed consumer and employee interfaces. This will allow for scaling and simple integration across a wider range of business applications and processes using widely adopted mechanisms such as Security Assertion Markup Language (SAML), OpenID Connect (OIDC), and REST API’s.
Often organizations and service providers are not certain on where and how to start this critical transformation to curb cybercrime. The following are the key areas where organizations and service providers can start thinking about adopting passwordless technology and solutions:
- Customer Identity & Authentication: This deployment will provide a secure and friction-free enablement into the most critical business functions securing the organization and their customers from digital fraud
- Remote Access (VPN) / Virtual Desktop: With a surge in remote workforce, removing static credentials from the equation reduces the risk
- IT Support Efficiency: With IT Support facing new challenges of remote support, a passwordless solution shall eliminate service desk tickets and calls related to password resets