How to eliminate cyber risk no. 1 in any company: This article explains what can be done .

For any business, it is a delicate balance to assess a given cyber risk, the necessary countermeasures, and the related costs of those measures. It’s a complex task and often very difficult to get right. Understandable, and logical as well. No one can predict the future, but we can all learn from the past.

The risk

Past cybersecurity issues have evolved from minor annoyances into major incidents with catastrophic consequences, leading to significant data losses and very high recovery costs. Behind each of these catastrophic incidents, there is a lesson to be made —a tool we can use to avoid similar occurrences in the future. That tool is already at hand, by changing our standard access to IT systems from using a username and password to a username with no password. This new approach is known as “passwordless” by the IT industry, which agreed to name the tool “Passkeys”.

Before I explain what a Passkey is and how it’s used, I will explain why Passkeys is important.

Since the early days of computer systems, username and password have been the go-to method for system access. It worked well when systems were only running locally, but not so well when all systems are Internet-connected. We are all familiar with password change process and the constant attempts by cyber criminals to lure our passwords from us. 

Back in 2020, the World Economic Forum published their report “Passwordless Authentication: The next breakthrough in secure digital transformation.”[1]. The report stated that ”80% of all data breaches involve weak or stolen Passwords”. In other words, 4 out of 5 incidents are connected to the password. Other international organizations have since then re-confirmed this 80% statistic. The method of passwords has outlived its usefulness, is outdated and needs to be retired. The risk of continuing to use passwords is too high and a replacement is needed.

Passkeys

Replacing passwords with these new “Passkeys” requires technological innovation and for the industry to work together, which is happening within the FIDO Alliance[2]. Microsoft[3], Apple, Google, Amazon, the Nordic national digital identity services [4], and the Swedish company Yubico[5] are all doing this innovative work as we speak. It is happening. And it is working.

Now that you understand the why, let’s look at how.

In any scientific development, you are standing on the shoulders of others. This is true for Passkeys as well. Passkeys mix longstanding technology with new inventions. It uses classic computer encryption techniques combined with new mobile phone development. This is the essence of how Passkeys works.

Passkeys identify a user by their username (i.e., your e-mail address) and then it matches you against a previously computer-generated key on your mobile phone or on special small piece of computer hardware named a “token[6]”.

Of cause, there is much more happening from a technology point of view. There are various checks and validation process’s happening behind the scenes, all supporting the security with Passkeys. And despite this complicated backend, it still feels easy to use. Even if the user get a new mobile phone, their Passkey will transfer from the old phone to the new one – naturally with reasonable security measures considered duing the transfer.

And this is one key point with Passkeys. They are way more secure, they offer a much smoother and faster login experience, allowing contactless login, and eliminate high-risk issues like password-sharing, as well as the very annoying strong password policy and the frequent password change requirement.

Policies and requirements

Especially important here are the policies and requirements are worth a closer look. Over recent years, we’ve seen new legislation and standards emerging. Most of you are probably familiar with the EU GDPR legislation that went into effect in 2018, and many might know some thing or two about the ISO/IEC 27002 global it-security standard. My guess is that only a few of you know much about the implication of the upcoming EU NIS 2 Directive[7], covering critical infrastructure and the EU DORA Directive[8] covering the financially sector. These new EU Directives will come into effect already in October 2024 and January 2025. In both cases the main purpose is to make business and national services more cyber-robust and resilient.

In addition to policies and requirements, we’re also witnessing the emergence of new technology standards to support the legislation and the need for change towards better security. I mentioned the ISO/IEC 27002 standard just before. Now I would like to introduce you to the work that is being done in the US.

The American Government, via their national standardization organization “National Institute of Standards and Technology (NIST)”, is doing a lot to strengthen the security levels. NIST is providing what they call their “Cybersecurity Framework (CSF)”[9]. The framework is continuously updated and contains a lot of information. In the transition to lowering the cyber risk. NIST introduced the so-called “Level of Authentication” logic recently.

In short, the level sets a bar for how secure a given user login method is. The old username and password are level 1, while the new Passkey is either level 2 or level 3, depending on the configuration. As an example, the new national identity services, like the Danish MitID or Swedish BankID, require at least level 2. While the levels may sound very technical - and they can be, it's still important to understand them from a business perspective. The levels are the way that the standards, policies and legislation get converted into operational IT. They define the regulatory framework by which we work.

In Europe, the EU is also pushing to improve cybersecurity and reduce risks. The European Union Agency for Cybersecurity (ENISA), emphasize in their report “ENISA Threat Landscape 2024”[10] In September 2024,  that even some current methods for protecting user accounts with an extra layer of security can get circumvented by criminals. We all know the method of receiving a text message to confirm our login. This method needs improvement. But to make things worse, in the report, ENISA also touches the illegal commercial market for selling usernames and passwords. In technical term, these are credentials. They state: “a year-over-year growth in the number of groups and the volume of credentials for sale as per numerous reports.” Not only are the criminals stealing our access information, they also sell the stolen information in bundles to the highest bidder.

Now we've gone through the why, the how and gone through what the authorities have to say. Now it's time to understand how to do it.

Get it done

Making changes to work processes is always difficult, and having users change habits in combination with IT-systems can be even overwhelmingly difficult. I believe this is the reason why many find it challenging to transition away from usernames and passwords. On the other hand, if it is possible to provide a new process that will remove burden and irritation, and at the same time increase efficiency and lowering cyber risk – then why not give it a go?

And that’s exactly my point. It is possible to start slowly. Work with a sub-group of users and have them add Passkeys to their login method. Microsoft offers comprehensive guidance in how-to “Support for passkeys in Windows”[11]. Google[12], Apple[13] and OpenText do the same with their “Advanced Authentication”[14] product.

Using the information from the big tech companies you can now move forward with the project in your business. As said, start with a sub-group and then move to the next group, the next and so on. It is a matter of putting together a prioritized plan including the needed awareness training for the users. You will need to validate that the IT-systems used will support change of login method. If you are already using Microsoft products for login validation, you will be good to go. All the other Enterprise vendors do also support the usage of Passkeys. It is normally a matter of configuration or, sometimes, licenses.

When you and your users start to have confidence in Passkeys – then you can begin change the default settings for login methods. You can even remove the option of using passwords on the local Windows Desktop and online.

Overwhelmingly difficult

Just as I said earlier, these kinds of projects can be “overwhelmingly difficult”. Hence, I will walk you through some of the most common objections.

The first is: “it is too expensive”. Well, expensive is always how you gauge it. But compared to potential recovery costs, the cost to implement is minimal.

Second: “My users or even management don’t want any change”. Then, we are back to the risk matter. The consequence of not doing anything. A main argument, is that the increased long-term simplicity and the removal of the ongoing password change policy will convince both your users and your management. It will prove that the change is relevant and necessary.

Third: “We can’t cover all our use-cases”. That´s correct. In many cases there are old systems that still need the outdated method with username and password. Sometimes, such cases can get handled by adding an extra layer of login security in front of the old system, and sometimes just have to accept that system. Old systems get replaced by new ones or simply just get decommissioned. It happens all the time.

Fourth: “The users can’t follow the instructions”. The human error-objection. Every single human makes mistakes. I do this all the time. It’s no secret. The case here is that if we can remove a potential human error by a technological solution, why don’t we? Blaming cyber incidents on your users is not correct. It leaves users with a guilt and, at the end of the day, with distrust and lack of engagement. Passkeys remove the use of passwords and thus also the risk that a user accidentally shares the password with a cybercriminal.

There are probably many more objections, and I’m happy to receive any feedback on the ones that are your top ones. Please mail me. The better I and everyone else understand what is withholding you from the transition to passwordless and Passkeys, the better it can be explained and addressed.

The headline

The headline of this article reads “How to eliminate cyber risk no. 1 in any company: This article explains what can be done.”. Throughout the article, I have described how the risk of continuing to use usernames and passwords as the primary login method for IT systems is far too high. We saw that more than 4 out of 5 cyber incidents originate from the exploitation of a password and that the World Economic Forum considers passwords to be risk number 1 in cyberspace. We also learned that, in both the US and the EU, new rules and laws are on the horizon to increase cyber robustness and resilience.

We’ve also seen that all the major tech vendors are prepared with a replacement for outdated passwords, through their collective efforts in the FIDO non-profit organization and the development of the Passkey login method.

Now, knowing the risks and understanding that there’s a path forward, we’ve reviewed the “how-to” of implementing this in the real world. Once again, technology companies are there to assist, providing a wealth of knowledge and documentation.

Finally, I highlighted some common objections. Hopefully, my top 4 list matches your top concerns and will help you as you work to eliminate cyber risk no. 1 in your company.

Author:

Bjarke Alling, Principal Advisor, Epical
Tel: +45 40 13 91 05
Mail: Bjarke.alling@epicalgroup.com