Ciptor Security Insights
10 Steps to Improving Your Cybersecurity Performance
What are cybersecurity goals?
Is it the measurement of number of users and corresponding results compared to the number of password resets? Good cybersecurity is highly valued, but it can also be difficult to achieve for many organizations.
The key to good cybersecurity is consistency. Anyone can be the next target by cybercriminals, but a high-performing cybersecurity team can meet the future threats through different sets of cybersecurity tools in combination with a will balanced cybersecurity education and awareness program.
1. Start with the right mindset and strategy
Your mindset how you approach cybersecurity can greatly impact the outcome. If you don’t think you will be successful, you will be right. It usually takes several years to increase your cybersecurity awareness and you will achieve it with increased cybersecurity know-how inside your organization. If you aren’t there yet, try creating an annual cybersecurity-strategy-plan
Your strategy should include a vision board where you assemble pictures and phrases of what you want to achieve and why you want to achieve it. It helps you remember the WHY your organization needs to take cybersecurity seriously and it is a powerful exercise for visualizing success.
2. Improve your cybersecurity with an emphasis on your vertical market
The level of understanding you have in regards to how your business runs, gives you credibility and trust when you are positioning your product or services. When you’re looking to improve your cybersecurity performance, strengthening your cybersecurity mindset (specifically in the vertical market you are in) is critical.
Ciptor ITSAFE Cyber security Expert Tobias Gurtner says:
"You need to understand how critical your cyber defense is for your business before you can set your business goals. As a decison maker for your companies Cybersecurity, the key to success is to understand how hackers are approaching their targets, what their intentions are, and how you can accommodate and fit your cybersecurity strategy into that."
You can take small steps to improve your cybersecurity each day. Try reading credible cybersecurity publications or digging into relevant reports for deeper understanding.
3. Get organized
One of the biggest factors in cybersecurity is ensuring you are focused on the right task at the right time. Chances are if you don’t allocate time to complete work (such as putting it on your strategy) it’s unlikely to happen.
If organising isn’t your strong suit, get help quickly. Ask an organized cybersecurity team member to walk you through their workflow to give you some ideas. If you are spending mental capacity trying to juggle too many priorities, such as resetting passwords or adding users to all web and mobile applications your organization are using, it will be hard to focus on your cybersecurity goals, which can hinder your overall performance.
4. Review your role and position
As a cybersecurity leader you are assigned with a budget and activity metrics that will help your business to achieve their overall goals. Some organizations publish these numbers so CIO’s can compare their budget with high performers. Reading the data and incorporating it into daily activity is key.
Ciptor ITSAFE Cybersecurity Expert Mikael Zaman Rodin, offers this advice:
"Understand what your ‘cybersecurity macros’ are. Most people are familiar with macros, or macronutrients, in the context of healthy eating. In that instance, you track how many carbs, proteins, and fats you eat to better understand what you’re consuming and help you reach your goals. This same thought process applies to cybersecurity.
Think of your metrics and KPIs as your macros. If you don’t understand what metrics or KPIs you need to overachieve, then you’ll have a hard time measure your performance. The metrics you need to hit could be vastly different than the other reps on your team.
We once had a client that was ‘doing everything right’ but still missing a lot of tasks. We pulled some data and noticed that their password reset percentage was 50% higher than a regular client. After implementing a password self-service concept, they were able to handle all tasks on time.
Understand that your personal definition of success may be different than that of your peers. This is why knowing where you stand according to metrics that are most relevant for you is important information for improving your performance as a Cybersecurity Team.
5. Set concrete goals above and beyond
Most business want to overachieve their budget, so setting business goals that exceed expectations provides flexibility for your business. If your goals are not written down, they are not goals, they are dreams.
Defining what you would like to achieve, how you would like to achieve it, and then sharing this information within your organization will help you to reach the goals.
6. Build a business cybersecurity development plan
The great part about a cybersecurity is that there is a lot to learn. The best way to accelerate your development is to create a personal development plan that defines what cybersecurity skills you want to improve within a specific amount of time.
I suggest picking one or two specific skills and applications to focus on each month and documenting the steps you take to show improvement over time.
Work with your cybersecurity team and your suppliers to build a cybersecurity training plan to help get you to the next level – particularly if cybersecurity awareness is new in your company.
Asking your employees to fill out cybersecurity training template and to see videos for you is a concrete way to show you want to grow in your role as a cybersecurity leader.
7. Find a cybersecurity coach or mentor
Having a cybersecurity expert or confidant outside of your organization can provide valuable perspective. An experienced cybersecurity expert with relevant experience will likely have more bandwidth and valuable perspective that can support your development in ways you might miss.
8. Track your progress in quantitative and qualitative ways
Document your success. Track your cybersecurity performance on a weekly and monthly basis so you can have evidence of your progress. Additionally, tracking cybersecurity threats, authentication events, users not logged in for the past 10, 15 or 30 days, user thay have been locked out, workstation event etc... and your own progress can provide a high-level understanding of your performance and how it relates to your organization’s success.
9. Take a creative approach to problem-solving
There is no singular path to success, and your ability to think creatively can serve you well in the long run.
Ciptor ITSAFE Cybersecurity expert Mikael Zaman Rodin says:
"Your ability to think outside the box could be the difference between being hacked or not being hacked”. Your ability to think creativity does matter no matter in what stage of the cybersecurity process you are in.
One of my favorite examples of creativity is during demo prep. If we are preparing to show a customer how our platform is going to revolutionize their way of going passwordless, why not take the time to sign up them up in our demo environment. This takes only 5 minutes and provides relevant information about how we can improve their process."
As a cybersecurity leader, it’s your job to solve your business problem. The more creative you can be in your approach, the better.
10. Celebrate your wins
Your daily work is filled with ups and downs and many employees focus too much on improving their weaknesses. Improving individual performance also means celebrating your wins — no matter how big or small they are.
When you achieve a goal or improve a skill, share your success with your team. Every win counts and celebrating each one gives you the momentum you need to keep going.
GO PASSWORDLESS TODAY
With Azure AD HYPR and FIDO Security Keys
Nobody likes passwords. They’re inconvenient. They’re a prime target for attacks. Yet for years they’ve been the most important layer of security for everything in our digital lives from email to bank accounts, shopping carts to video games.
Today, you can now completely remove the password from your Microsoft account. Our preferred choice is to use your mobile phone as a security key with our favorite technology The HYPR Cloud Platform. It is designed to eliminate passwords and shared secrets across the enterprise. By removing the hackers’ primary target, HYPR forces the adversary to attack each device individually – drastically shifting the economics of an attack back in your favor.
With the HYPR platform in place you can also use a FIDO Security Key from Feitian, Yubico, Identiv or Nitrokey to sign into your favorite apps and services, such as Microsoft Outlook, Microsoft OneDrive, Microsoft Family Safety, and more.
Connect your IdP to the HYPR Platform and you will be able to rollout True Passwordless Authentication and gain fast and easy access to your apps and resources.
See example here below how HYPR is integrated with the PhenixID (IdP) to access Citrix with SSO by using True Passwordless Authentication.
Bret Arsenault, the Chief Information Security Officer (CISO) at Microsoft says:
“Hackers don’t break in, they log in.”
Weak passwords are the entry point for the majority of attacks across enterprise and consumer accounts. There are a whopping 579 password attacks every second—that’s 18 billion every year.
Why are passwords so vulnerable? - There are two big reasons
1. Human nature
Except for auto-generated passwords that are nearly impossible to remember, we largely create our own passwords. But, given the vulnerability of passwords, requirements for them have gotten increasingly complex in recent years, including multiple symbols, numbers, case sensitivity, and disallowing previous passwords. Updates are often required on a regular basis, yet to create passwords that are both secure enough and memorable enough is a challenge. Passwords are incredibly inconvenient to create, remember, and manage across all the accounts in our lives.
Forgetting a password can be painful too. You will be shocked to learn that nearly a third of people say they completely stop using an account or service rather than dealing with a lost password. That’s not only a problem for the person stuck in the password cycle, but also for businesses losing customers.
To solve these problems and create passwords we can remember, we try and make things easier for ourselves. We often rely on known and personal words and phrases. We use our pets and family names for password inspiration and important dates like birthdays. As well we are reusing passwords across sites, and we also use a formula for creating passwords, such as; Summer2021, which eventually becomes Winter2021 or Spring2022.
2. Hacker nature
Unfortunately, while such passwords may be easier to remember, they are also easier for a hacker to guess. A quick look at someone’s social media can give any hacker a head starts on logging into their personal accounts. Once that password and email combination has been compromised, it’s often sold on the dark web for use in any number of attacks.
Go Passwordless Today!
The Financial Benefits of Deploying Passwordless Authentication
Source: Adobe Stock
Forgot your password? The average cost in help desk labor for a password reset is $70.
A medium sized organization can experience upwards of 10,000 resets per year.
10,000 * $70 = $700,000 lost to password resets each year.
So, how many passwords does your help desk reset?
Data Breach Risk
Source: Adobe Stock
The global average cost of a data breach is $3.86 million.
80% of hacking-related breaches are tied to stolen or weak passwords.
$3.86m * 80% = $3.09 M
Reduce quantifiable breach risk an average of $3.09 M by eliminating Passwords.
ECOMMERCE CHECKOUT ABANDONMENT
Source: Adobe Stock
33% of transactions are abandoned at checkout due to forgotten passwords.
The average online transaction value in the United States is $81.26.
A medium-sized eCommerce business processes 100,000 orders each year.
33% (100,000 transactions * $81.26) = $2.68 million in lost revenue can instead be generated by going Passwordless
How often are your customers abandoning their carts due to password friction?
Credential Reuse Attacks
Source: Adobe Stock
The avg cost of ATO fraud due to credential stuffing is $18,420 per account per year.
Approx. 2% of credential stuffing attempts on accounts are successful.
A medium-sized eCommerce business has upwards of 10,000 customer accounts.
2% * (10,000 customer accounts * $18,420) = $3.68 M saved by preventing a credential stuffing attack.
How many user passwords are you storing?
Source: Adobe Stock
A major bank with 100,000 tellers studied their employee login times.
Each successful workstation login averaged 5 seconds.
A teller logs onto their computer approx. 70 times each day during a full-time shift.
5s * 60 = 300 seconds * 252 Work Days / 3600 = 24.5 hoursper employee spent logging in each year.
Passwordless can save an average of 24 Hours in productivity per employee per year.
That’s approximately 6,575 hours per day spent on typing passwords — talk about productivity losses!
If we base this off a 252-day work year, and an average teller pay of $18 per hour, it amounts to
nearly $45 million in hourly wages spent on logging in for the entire year.
So, how many times a day do your employees log in?
Our partner HYPR, a true leading passwordless multi-factor authentication (MFA) provider, has joined the Microsoft Intelligent Security Association (MISA), a consortium of experts from across the cybersecurity industry with the shared goal of improving customer security and confidence with digital services.
As a member, HYPR will have the opportunity to use Microsoft's security products and expanded network, while Microsoft customers will benefit from HYPR's True Passwordless MFA™ technology. HYPR's interoperability with Microsoft Azure Active Directory enables true cross-cloud, cross-platform passwordless login, including single sign-on (SSO), desktop multi-factor authentication, and mobile-to-web authentication for apps including Microsoft 365. This integration provides full protection against man-in-the-middle (MITM), credential stuffing, phishing, and mobile PUSH fatigue attacks. This joint solution raises the bar on protecting workforce identities by requiring the attacker to target each individual device, to cause widespread impact and damage.
"HYPR has long had the belief that passwords are archaic, costly, plagued with risk and undoubtedly the weakest link in many corporate security protocols and strategies. Joining MISA only solidifies our vision to eliminate the password, accelerate the cloud journey of our customers, while protecting their organization against vulnerabilities," said George Muldoon, Vice President of Strategic Alliances, HYPR. "We are excited to join MISA and benefit from the knowledge and resources shared by the other members of the association."
"Microsoft has been on a mission to eliminate passwords and help people protect their corporate identities," said Alex Simons, Corporate Vice President of Program Management, Microsoft Identity Division. "We are pleased to see companies like HYPR support that goal by integrating their solutions through the Microsoft Intelligent Security Association."
What is HYPR
HYPR is a leader in Passwordless Multi-factor Authentication (MFA).
With HYPR installed you will be able to protect workforce and customer identities with the highest level of assurance while enhancing the end users' experience. The HYPR approach shifts the economics of attack and risk in the enterprises' favor by replacing password-based MFA with Passwordless MFA.
With HYPR, customers can finally enable cross-platform desktop MFA, stop phishing, and reduce fraud associated with weak or stolen passwords.
Welcome to The Passwordless Future. It's time to reimagine identity security.
Bank of America customers can now use SecurityKey's for Extra Security for Sign-on and Bank Transfers.
Bank of America announced last month that starting June 23rd, 2021, it will support FIDO2 certified USB security keys, including FEITIAN Security Keys, to increase the security of its users and help protect customers against fraud and identity theft.
Bank of America will support registering your USB security key to your account, online banking authentication and an extra layer of security for adding transfer recipients to your account and completing money transfers.
The support for FEITIAN FIDO2 certified security keys for sign-in authentication and completing money transfers is a major security milestone for financial institutions. Read more.
Benefits of using a security key for online banking
- Extra layer of security for account sign-in and online banking
- Using a security key Increase limits for certain transfer types
- Extra security for higher value money transfers
- Use Secured Transfer internationally if you don’t have a U.S. based mobile number. USB security keys are an optional alternative to SMS-based one-time security codes if you do not have access to a U.S. mobile phone number or can’t receive texts to your phone.
- USB security keys are a more secure alternative to SMS-based one-time security codes. If you don’t have a domestic mobile phone number or can’t receive security codes via text, you can use FEITIAN USB security keys that plugs into your computer.
Security Key FAQS
What is a USB security key?
A USB security key plugs into your computer’s USB port and functions as an extra layer of security that’s used in Online Banking to increase limits for certain transfer types.
Why do I need a USB security key?
USB security keys are an optional alternative to SMS-based one-time security codes if you do not have access to a U.S. mobile phone number or can’t receive texts to your phone.
Where can I get a USB security key?
USB security keys can be purchased from our online store: www.it-safe.shop
How do I register my USB security key?
You will be able to register your USB security key beginning June 21.
How do I use my USB security key when making a transfer?
When prompted for your USB security key, all you need to do is tap the button on the key already inserted into your USB port, allow the browser to read your device and continue with your transfer.