In 2023, email-based cyber security threats reached unprecedented levels of sophistication and effectiveness. Credential phishing emerged as the dominant threat, comprising 91% of published active threat reports—a staggering 67% increase from the previous year. This surge can be attributed to the growing success of cyberattacks exploiting stolen credentials, particularly in systems lacking strong Multi-Factor Authentication (MFA).
A notable example is the Change Healthcare breach, where attackers used stolen credentials to access a server without MFA protection. This vulnerability arose during the company’s transition following its acquisition by UnitedHealth. The incident resulted in the exposure of sensitive health information for millions of Americans, highlighting the crucial importance of fundamental cyber security practices, including comprehensive password management and MFA implementation.
Do we need more than MFA?
Implementing basic security measures is crucial, but it’s only one component of a comprehensive security strategy. Complex passwords alone are insufficient; they must also be unique across platforms. This is because if one password is compromised, it could potentially expose all accounts where that password is reused—a tactic frequently exploited by threat actors.
The constant leaks of password databases underscore the critical need for password diversity. Cyber and Data Protection consistently advocate for avoiding password reuse and using password managers for enhanced protection. Some advanced password managers are now capable of scanning leaked databases and alerting users to potential vulnerabilities.
While Multi-Factor Authentication (MFA) provides an additional layer of defence, it’s not infallible and should be complemented by other security measures. MFA bypass kits are now available to malicious actors, such as the Tycoon 2FA phishing kit, demonstrate that these security measures can be circumvented. When users fall victim to these attacks, they unknowingly grant threat actors access to their accounts, effectively nullifying MFA protections.
This development highlights the crucial role of human vigilance in cyber security. These advanced phishing kits have essentially reset the security landscape to a pre-MFA era, where the primary defence against account compromise relies heavily on an individual’s ability to recognize and avoid phishing attempts.
Staff need to stay vigilant
Threat actors continuously evolve their tactics, exploiting organisational vulnerabilities through convincing phishing emails. To counter this, organisations must adopt a holistic approach that extends beyond technical safeguards. Comprehensive security awareness training is vital to transform the workforce into a strong defence against cyber attacks.
Educating employees across all levels is one of the most impactful cyber security strategies. This training should focus on recognizing phishing attempts from seemingly credible sources. While basic cyber literacy is becoming more common, fostering a healthy scepticism towards online interactions requires sustained effort.
Organisations should implement clear reporting mechanisms and provide tools to address phishing threats swiftly. Regular training in detecting malicious messages and other social engineering strategies may significantly reduce the risk of data compromise. Promoting open communication about potential threats fosters a culture of cyber security awareness, making the whole organisation more resilient.
By investing in both technological controls and human-centric approaches, organizations can build a resilient defence system. This comprehensive strategy enhances immediate security and prepares for long-term protection against evolving threats.
Cyber and Data Protection offer dedicated cyber security and data protection training courses to help bolster your organisation’s ability to withstand potential social engineering attacks. Call us now on 01743 644 404 or email us on hello@cyber-data.co.uk to find out more.