"It Won't Happen to Us" Is Not a Cybersecurity Plan
There is a quiet assumption running through most organisations' approach to data security and data breaches. It’s not official policy, but it shapes decisions, budgets, and priorities more than anything else.
‘it won't happen to us’
Someone else's credentials will get stolen. Someone else's customer database will get breached.
Not us. We have an IT department, and we run phishing simulations.
We call this the ostrich strategy. And it is the dominant approach to cybersecurity in organisations of every size, across every industry.
Credential stuffing tools run billions of login attempts per day. Phishing kits are sold as a service, complete with customer support. Adversary-in-the-Middle (AitM) attack frameworks can be deployed by someone with no meaningful technical background. The infrastructure to attack your organisation exists, it is cheap, and it is running right now.
In this environment, "we haven't been hit yet" is not evidence of good security, and luck is not a strategy.
What does the Ostrich Strategy look like in practice?
It looks like deploying SMS-based two-factor authentication and announcing that you now have MFA, without acknowledging that SMS codes are intercepted in real time by the same AitM kits that any attacker can get over a weekend.
It looks like running phishing simulation training every quarter, showing employees a graph of who clicked the fake link, and calling it a security programme. As if the solution to a technical vulnerability is to make the humans more perfect.
It looks like incident response, and it’s more of a PR investment than a security system that would have stopped the attacker from getting in.
It looks like assuming that because a breach has not happened yet, the current approach is working.
The breach already happened. You just don't know yet.
The average time between an initial compromise and its discovery is measured in months, not days. By the time an organisation knows it has been breached, the attacker has typically had weeks or months of access, exfiltrating data, mapping infrastructure, escalating privileges.
Burying your head in the sand, does not change the facts around you.
The solution is in removing the attack surface.
Passwords were not created for today’s internet, they were made for closed networks.
The reason phishing works is because it is targeting a weak authentication layer, one that depends on a human correctly identifying an invisible threat in real time, every time they login. That is not a reasonable expectation.
Phishing-resistant authentication does not ask employees to be security experts. It removes the credential from the equation entirely. A hardware-based FIDO2 security key performs a challenge-response authentication that is cryptographically bound to the registered origin of the site. A fake login page would look authentic to the human, but because credentials are tied to the legitimate domain at registration, the authenticator will find no matching credential for the phishing origin.
It leaves no is no password to steal, no OTP to intercept, no session token to hijack in transit.
The question is not “Will we be attacked?”
The question is: do we have the proper structure to counter an attack?”
Hoping for the best is not a plan. Removing the attack surface is.
Spear Innovations provides phishing-resistant FIDO2 authentication solutions for enterprises, including SpearID® hardware security keys designed and manufactured in Finland. If you want to move from hoping to hardened, contact us.