Ciptor Security Insights

Cyberattacks are on the raise!

The long-standing, oft-deferred security threat posed by password-based authentication is now front and center. Some of the most damaging cyberattacks in the past year were caused or enabled by weak password protection. For example, the Colonial Pipeline breach that shut down fuel supply operations to the eastern United States was traced to a single compromised password. This untenable risk, along with growing regulatory pressures such as the the 2021 Executive Order on Cybersecurity’s Zero Trust mandate, are prompting more organizations to turn to passwordless options. There’s growing recognition that passwordless security approaches can provide significantly better protection and user experience as well as cost savings. To further clarify the state and direction of passwordless authentication, we conducted our second annual survey among IT and security professionals across the globe.

As organizations look for opportunities to do more with less, they’re no doubt considering how security teams can contribute. With that in mind, I’d like to share priorities for 2023 that will pay off in the long run:

  • Traditional multi-factor authentication (MFA) methods are increasingly under attack. These include Remote Desktop Protocol (RDP) attacks, account takeover (ATO) fraud, phishing, man-in-the-middle (MitM) attacks, credential stuffing and push attacks.
  • Remote work continues to be the main driver for passwordless authentication, especially against the backdrop of the significant increase in phishing attacks in recent years.
  • Organizations face serious security gaps due to insecure authentication methods based on secret-sharing.
  • Protect against identity compromise. 
  • Modernize identity security to do more with less.
  • Protect access holistically by configuring identity and network access solutions to work together.
  • Verify remote users in a cheaper, faster, more trustworthy way.

Credential attacks are on the raise

Given the vast troves of stolen passwords on the dark web, easily available automated attack tools, and people’s penchant for password reuse, it’s unsurprising that credential stuffing attacks and phisihing continues to grow. Phishing remains at an all time high with 89% of respondents revealing that their organizations experienced at least one phishing attack due to the HYPR, 2022 State of Passwordless Security Report.


10 Steps to Improving Your Cybersecurity Performance

What are cybersecurity goals?

Is it the measurement of number of users and corresponding results compared to the number of password resets? Good cybersecurity is highly valued, but it can also be difficult to achieve for many organizations.

The key to good cybersecurity is consistency. Anyone can be the next target by cybercriminals, but a high-performing cybersecurity team can meet the future threats through different sets of cybersecurity tools in combination with a will balanced cybersecurity education and awareness program.


1. Start with the right mindset and strategy

Your mindset how you approach cybersecurity can greatly impact the outcome. If you don’t think you will be successful, you will be right. It usually takes several years to increase your cybersecurity awareness and you will achieve it with increased cybersecurity know-how inside your organization. If you aren’t there yet, try creating an annual cybersecurity-strategy-plan

Your strategy should include a vision board where you assemble pictures and phrases of what you want to achieve and why you want to achieve it. It helps you remember the WHY your organization needs to take cybersecurity seriously and it is a powerful exercise for visualizing success.

2. Improve your cybersecurity with an emphasis on your vertical market

The level of understanding you have in regards to how your business runs, gives you credibility and trust when you are positioning your product or services. When you’re looking to improve your cybersecurity performance, strengthening your cybersecurity mindset (specifically in the vertical market you are in) is critical.

Ciptor ITSAFE Cyber security Expert Tobias Gurtner says:

"You need to understand how critical your cyber defense is for your business before you can set your business goals. As a decison maker for your companies Cybersecurity, the key to success is to understand how hackers are approaching their targets, what their intentions are, and how you can accommodate and fit your cybersecurity strategy into that."

You can take small steps to improve your cybersecurity each day. Try reading credible cybersecurity publications or digging into relevant reports for deeper understanding.

3. Get organized

One of the biggest factors in cybersecurity is ensuring you are focused on the right task at the right time. Chances are if you don’t allocate time to complete work (such as putting it on your strategy) it’s unlikely to happen.

If organising isn’t your strong suit, get help quickly. Ask an organized cybersecurity team member to walk you through their workflow to give you some ideas. If you are spending mental capacity trying to juggle too many priorities, such as resetting passwords or adding users to all web and mobile applications your organization are using, it will be hard to focus on your cybersecurity goals, which can hinder your overall performance.

4. Review your role and position

As a cybersecurity leader you are assigned with a budget and activity metrics that will help your business to achieve their overall goals. Some organizations publish these numbers so CIO’s can compare their budget with high performers. Reading the data and incorporating it into daily activity is key.

Ciptor ITSAFE Cybersecurity Expert Mikael Zaman Rodin, offers this advice:

"Understand what your ‘cybersecurity macros’ are. Most people are familiar with macros, or macronutrients, in the context of healthy eating. In that instance, you track how many carbs, proteins, and fats you eat to better understand what you’re consuming and help you reach your goals. This same thought process applies to cybersecurity.

Think of your metrics and KPIs as your macros. If you don’t understand what metrics or KPIs you need to overachieve, then you’ll have a hard time measure your performance. The metrics you need to hit could be vastly different than the other reps on your team.

We once had a client that was ‘doing everything right’ but still missing a lot of tasks. We pulled some data and noticed that their password reset percentage was 50% higher than a regular client. After implementing a password self-service concept, they were able to handle all tasks on time.

Understand that your personal definition of success may be different than that of your peers. This is why knowing where you stand according to metrics that are most relevant for you is important information for improving your performance as a Cybersecurity Team.

5. Set concrete goals above and beyond

Most business want to overachieve their budget, so setting business goals that exceed expectations provides flexibility for your business. If your goals are not written down, they are not goals, they are dreams.

Defining what you would like to achieve, how you would like to achieve it, and then sharing this information within your organization will help you to reach the goals.

6. Build a business cybersecurity development plan

The great part about a cybersecurity is that there is a lot to learn. The best way to accelerate your development is to create a personal development plan that defines what cybersecurity skills you want to improve within a specific amount of time.

I suggest picking one or two specific skills and applications to focus on each month and documenting the steps you take to show improvement over time.

Work with your cybersecurity team and your suppliers to build a cybersecurity training plan to help get you to the next level – particularly if cybersecurity awareness is new in your company.

Asking your employees to fill out cybersecurity training template and to see videos for you is a concrete way to show you want to grow in your role as a cybersecurity leader.

7. Find a cybersecurity coach or mentor

Having a cybersecurity expert or confidant outside of your organization can provide valuable perspective. An experienced cybersecurity expert with relevant experience will likely have more bandwidth and valuable perspective that can support your development in ways you might miss.

8. Track your progress in quantitative and qualitative ways

Document your success. Track your cybersecurity performance on a weekly and monthly basis so you can have evidence of your progress. Additionally, tracking cybersecurity threats, authentication events, users not logged in for the past 10, 15 or 30 days, user thay have been locked out, workstation event etc... and your own progress can provide a high-level understanding of your performance and how it relates to your organization’s success.

9. Take a creative approach to problem-solving

There is no singular path to success, and your ability to think creatively can serve you well in the long run.

Ciptor ITSAFE Cybersecurity expert Mikael Zaman Rodin says:

"Your ability to think outside the box could be the difference between being hacked or not being hacked”. Your ability to think creativity does matter no matter in what stage of the cybersecurity process you are in.

One of my favorite examples of creativity is during demo prep. If we are preparing to show a customer how our platform is going to revolutionize their way of going passwordless, why not take the time to sign up them up in our demo environment. This takes only 5 minutes and provides relevant information about how we can improve their process."

As a cybersecurity leader, it’s your job to solve your business problem. The more creative you can be in your approach, the better.

10. Celebrate your wins

Your daily work is filled with ups and downs and many employees focus too much on improving their weaknesses. Improving individual performance also means celebrating your wins — no matter how big or small they are.

When you achieve a goal or improve a skill, share your success with your team. Every win counts and celebrating each one gives you the momentum you need to keep going.




With Azure AD HYPR and FIDO Security Keys

Nobody likes passwords. They’re inconvenient. They’re a prime target for attacks. Yet for years they’ve been the most important layer of security for everything in our digital lives from email to bank accounts, shopping carts to video games.

Today, you can now completely remove the password from your Microsoft account. Our preferred choice is to use your mobile phone as a security key with our favorite technology The HYPR Cloud Platform. It is designed to eliminate passwords and shared secrets across the enterprise. By removing the hackers’ primary target, HYPR forces the adversary to attack each device individually – drastically shifting the economics of an attack back in your favor.

With the HYPR platform in place you can also use a FIDO Security Key from Feitian, Yubico, Identiv or Nitrokey to sign into your favorite apps and services, such as Microsoft Outlook, Microsoft OneDrive, Microsoft Family Safety, and more.


Connect your IdP to the HYPR Platform and you will be able to rollout True Passwordless Authentication and gain fast and easy access to your apps and resources.

See example here below how HYPR is integrated with the PhenixID (IdP) to access Citrix with SSO by using True Passwordless Authentication.


Bret Arsenault, the Chief Information Security Officer (CISO) at Microsoft says:
“Hackers don’t break in, they log in.”


Weak passwords are the entry point for the majority of attacks across enterprise and consumer accounts. There are a whopping 579 password attacks every second—that’s 18 billion every year.

Why are passwords so vulnerable? - There are two big reasons

1. Human nature

Except for auto-generated passwords that are nearly impossible to remember, we largely create our own passwords. But, given the vulnerability of passwords, requirements for them have gotten increasingly complex in recent years, including multiple symbols, numbers, case sensitivity, and disallowing previous passwords. Updates are often required on a regular basis, yet to create passwords that are both secure enough and memorable enough is a challenge. Passwords are incredibly inconvenient to create, remember, and manage across all the accounts in our lives.

Forgetting a password can be painful too. You will be shocked to learn that nearly a third of people say they completely stop using an account or service rather than dealing with a lost password. That’s not only a problem for the person stuck in the password cycle, but also for businesses losing customers.

To solve these problems and create passwords we can remember, we try and make things easier for ourselves. We often rely on known and personal words and phrases. We use our pets and family names for password inspiration and important dates like birthdays. As well we are reusing passwords across sites, and we also use a formula for creating passwords, such as; Summer2021, which eventually becomes Winter2021 or Spring2022.

2. Hacker nature

Unfortunately, while such passwords may be easier to remember, they are also easier for a hacker to guess. A quick look at someone’s social media can give any hacker a head starts on logging into their personal accounts. Once that password and email combination has been compromised, it’s often sold on the dark web for use in any number of attacks.

Go Passwordless Today!


The Financial Benefits of Deploying Passwordless Authentication

Password Resets

Source: Adobe Stock

Forgot your password? The average cost in help desk labor for a password reset is $70.
A medium sized organization can experience upwards of 10,000 resets per year.

10,000 * $70 = $700,000 lost to password resets each year.

So, how many passwords does your help desk reset?

Data Breach Risk

Source: Adobe Stock

The global average cost of a data breach is $3.86 million.

80% of hacking-related breaches are tied to stolen or weak passwords. 
$3.86m * 80% = $3.09 M

Reduce quantifiable breach risk an average of $3.09 M by eliminating Passwords.


Source: Adobe Stock

33% of transactions are abandoned at checkout due to forgotten passwords.
The average online transaction value in the United States is $81.26.

A medium-sized eCommerce business processes 100,000 orders each year.
33% (100,000 transactions * $81.26) = $2.68 million in lost revenue can instead be generated by going Passwordless

How often are your customers abandoning their carts due to password friction?

Credential Reuse Attacks

Source: Adobe Stock

The avg cost of ATO fraud due to credential stuffing is $18,420 per account per year.
Approx. 2% of credential stuffing attempts on accounts are successful. 

A medium-sized eCommerce business has upwards of 10,000 customer accounts.
2% * (10,000 customer accounts * $18,420) = $3.68 M saved by preventing a credential stuffing attack.

How many user passwords are you storing? 

Workforce Productivity

Source: Adobe Stock

A major bank with 100,000 tellers studied their employee login times.
Each successful workstation login averaged 5 seconds.
A teller logs onto their computer approx. 70 times each day during a full-time shift.
5s * 60 = 300 seconds * 252 Work Days / 3600 = 24.5 hoursper employee spent logging in each year.
Passwordless can save an average of 24 Hours in productivity per employee per year.

That’s approximately 6,575 hours per day spent on typing passwords — talk about productivity losses!
If we base this off a 252-day work year, and an average teller pay of $18 per hour, it amounts to
nearly $45 million in hourly wages spent on logging in for the entire year.
So, how many times a day do your employees log in?


Our partner HYPR, a true leading passwordless multi-factor authentication (MFA) provider, has joined the Microsoft Intelligent Security Association (MISA), a consortium of experts from across the cybersecurity industry with the shared goal of improving customer security and confidence with digital services.

As a member, HYPR will have the opportunity to use Microsoft's security products and expanded network, while Microsoft customers will benefit from HYPR's True Passwordless MFA™ technology. HYPR's interoperability with Microsoft Azure Active Directory enables true cross-cloud, cross-platform passwordless login, including single sign-on (SSO), desktop multi-factor authentication, and mobile-to-web authentication for apps including Microsoft 365. This integration provides full protection against man-in-the-middle (MITM), credential stuffing, phishing, and mobile PUSH fatigue attacks. This joint solution raises the bar on protecting workforce identities by requiring the attacker to target each individual device, to cause widespread impact and damage.

"HYPR has long had the belief that passwords are archaic, costly, plagued with risk and undoubtedly the weakest link in many corporate security protocols and strategies. Joining MISA only solidifies our vision to eliminate the password, accelerate the cloud journey of our customers, while protecting their organization against vulnerabilities," said George Muldoon, Vice President of Strategic Alliances, HYPR. "We are excited to join MISA and benefit from the knowledge and resources shared by the other members of the association."

"Microsoft has been on a mission to eliminate passwords and help people protect their corporate identities," said Alex Simons, Corporate Vice President of Program Management, Microsoft Identity Division. "We are pleased to see companies like HYPR support that goal by integrating their solutions through the Microsoft Intelligent Security Association."

What is HYPR

HYPR is a leader in Passwordless Multi-factor Authentication (MFA). 

With HYPR installed you will be able to protect workforce and customer identities with the highest level of assurance while enhancing the end users' experience. The HYPR approach shifts the economics of attack and risk in the enterprises' favor by replacing password-based MFA with Passwordless MFA.

With HYPR, customers can finally enable cross-platform desktop MFA, stop phishing, and reduce fraud associated with weak or stolen passwords.

Welcome to The Passwordless Future. It's time to reimagine identity security.

Manage cookie settings
This website uses cookies to make our services work, and that’s why some cookies are necessary and can’t be declined. We use cookies to give you the best user experience possible. You can manage your cookies in the next session.
Cookie settings
Cookie settings
Necessary Cookies
These Cookies are necessary for our website to work and can’t be turned off. The Cookies are usually only activated when you, for example, fill out a form or create or log in to your account. They don’t track any personal information.
Performance Cookies
These Cookies help us to track the number of visitors on our webpage. They also track where our visitors came from and how they found our website. We use this information to analyze how to make our website more user-friendly for our visitors and which landing pages are most relevant for our customers. The information that we store is, for example, what pages you visit when using our website.
Marketing Cookies
We use these Cookies to analyze how we can make our advertising better. The information helps us to learn more about our visitors and makes it possible to personalize ads based on your previous use of our services.