Not overly concerned about phishing? Seventy-six percent of organizations experienced a phishing attack in 2017, according to Wombat Security. It didn’t put a price tag on these attacks, but Ponemon Institute calculates that the average large company spends $3.7 million each year coping with them.
And then there’s Google. The number of Google employees who have been successfully phished since early 2017 is zero, according to a company spokesperson. That’s because its 85,000-plus employees are required to use a security key, an inexpensive USB-based device, to log into a user account.
Security keys have existed for decades, but Google’s company-wide adoption of them appears to be unique.
Not only are security keys inexpensive, but their operation is easy and straightforward. A user inserts the physical key into a computer and presses a button on the device when prompted. After a user enrolls a device for a site that supports security keys, the need for a password is eliminated unless there is an attempt to access the account with a different device (in which case they only need to insert their key).
Google began requiring its employees to use security keys early last year and security keys are now the basis of all account access at the company.
Security keys can’t prevent phishing attempts. However, a bad actor can’t access a user’s account – even if they obtain the user’s password – unless they somehow manage to get hold of the physical security key. These keys are proving to help avert phishing incidents when employees click a link within a bogus email.
Security keys use a type of multi-factor authentication called Universal 2nd Factor (U2F), an open source authentication standard. Currently, a limited number of well-known sites support it, such as Dropbox, Facebook, Github, Twitter and, of course, a cornucopia of Google sites. U2F is also supported by Chrome, Firefox, and Opera browsers, and Microsoft says it will update its Edge browser to support U2F this year. In addition, most password managers, including Dashlane and Keepass, now support U2F.
Of course, phishing incidents are just one way a company can be compromised. Averting a cyber-attack requires a multi-line defense strategy that encompasses all levels of risk from insider threats to network vulnerability.
Download Gartner’s Top Security and Risk Management Trends report to learn more about ways you can safeguard your employees and network from being hacked.