No amount of phishing simulations will fix a broken cybersecurity system.
Every year, organizations spend millions on cybersecurity training. By the time they reach the phishing simulation phase, they realise that the data points towards one conclusion: the employees who perform best are often the ones who barely check their emails at all.
Not so helpful.
Social engineering has always been one step ahead of the security trainings. With most organizations, there’s always a combination of a [wrong email + right employee (victim)] that would bring a whole system to a halt. Why? Because in a way, cybersecurity trainings use the leftovers of previous data breaches, while hackers are working on the next technique.
On the other hand, cybercriminals adapt much faster than staff. The real question isn’t how do we train employees better? but why are we relying on them in the first place?
A better approach: Systems that work for everyone
Instead of trying to turn every employee into a cybersecurity expert, we should focus on building systems that protect everyone by default. Think of it like this: we don’t organize martial arts trainings for employees to ensure their physical safety – instead, we install door locks and badge readers that work for everyone regardless of their combat skills.
This approach, often called “security by design,” has several key principles:
Assume Human Error: Design systems with people in mind. People have bad days sometimes and will make mistakes. We have to ensure those mistakes can’t spiral into major breaches by working with the situation and not around it.
Compartmentalization: Ensure that if one person’s account is compromised, the damage is contained. This is similar to how ships have multiple watertight compartments – a breach in one doesn’t sink the whole vessel.
Automation Over Education: Replace human decision points with automated systems that handle security decisions consistently and reliably.
FIDO2: The Future of Authentication
FIDO2 is an authentication standard. It is the cornerstone of a system that works for everyone: It provides a hardware security solution for a cybersecurity problem.
What is FIDO2?
If you haven’t heard of this before, FIDO2 stands Fast Identity Online. It normally comes in the shape of USB key or a card. You can think of it as an equivalent of a regular house key, except that you use it on your computer. A digital key. People do not need special training to use a house key, and similarly they will not need training to use a FIDO2 key. This makes security feel more natural.
How Does It Work?
Once you get your own FIDO2 key:
- Setup: First, you pair your FIDO2 key with your account by plugging it into your device or connecting it wirelessly. The service will guide you through a quick setup process, which might include adding a PIN or scanning your fingerprint, depending on the key.
- Login: When you want to log in, plug in your FIDO2 key or tap it if it’s wireless. The system might ask for your PIN or a biometric check to verify it’s really you.
- Access Granted: That’s it! No need to type in passwords or worry about remembering them. The key handles the security part for you.
- When you need to log in, you either:
- Insert the security key and tap it
- Use your fingerprint or face recognition on your phone
- Enter a simple PIN
Why is FIDO2 “better”?
- No Passwords to Steal: FIDO2 replaces traditional passwords with cryptographic keys. Since these keys are stored securely on your device and never shared, there’s nothing for hackers to steal or guess. You don’t need to worry about weak passwords or reusing the same one across multiple sites. And this means that it eliminates the man-in-the-middle.
- Built-in Phishing Protection: FIDO2 prevents you to login to fake websites. When you try to log in, it verifies the site’s corresponding FIDO key and if this doesn’t match with they the authentic key for the real site, then you are not able proceed. This is what we call mutual authentication: both the user and the site are verified for veracity.
- Local Authentication: FIDO2 authentication credentials never leaves your device. The private key associated to your public FIDO key is securely stored on the device and the authentication process happens locally between your device and your Internet browser. No secrets are sent to the service provider over the Internet, ensuring that your sensitive personal information stays private.
The Path Forward
Instead of investing thousands of hours in training that may be outdated by the time it’s completed, organizations should:
- Implement FIDO2: Start with critical systems and gradually expand.
- Focus on Systems: Invest in technologies that make security the default state rather than something employees need to actively maintain.
- Change the Culture: Move from a “blame the user” mentality to one that emphasizes systematic protection.
Remember: The best security system isn’t the one that requires perfect human behavior – it’s the one that works despite our imperfections. By adopting technologies like FIDO2 and embracing security by design, we can create safer digital environments that protect everyone, regardless of their cybersecurity expertise.