There was a time when identity management was limited to controlling access to resources within a single security domain. But internal users now access external resources and external users access internal resources. Traditional approaches to identity management show their limitations.
In this context, many organizations are turning to identity federation to facilitate user work across multiple systems, while reducing the administrative burden of managing access to these systems.

Identity federation links a user’s identity across multiple security domains, each with its own identity management system. When two domains are federated, the user can authenticate to one domain and then access the resources in the other domain without having to authenticate a second time.
Identity federation allows administrators to solve many problems related to access to distributed resources across multiple domains. For example, it is not necessary to set up a specialized system to facilitate access to resources external to the organization.
To take advantage of these benefits, it is necessary to implement a complete management of the identity federation. This generic term covers the process of administering all elements associated with a complete identity federation platform. This includes not only the technologies that make federation possible, but also the agreements, rights management, standards and other elements that define how the service is implemented.
For the federation to work, all parties involved must agree on these elements. They must agree on which identification attributes to include, such as email, name and function title, how to represent these attributes internally, and what standard to use to exchange data. authentication and authorization. In this regard, the Security Assertion Markup Language (SAML) standard is widely used.

Identity federation management can also be applied to a single organization that manages multiple security domains. It is a relatively young technology, and its exact meaning is still evolving, so that the particularities may vary from one source to another.
Finally, if federated and local authentication must coexist, the options must be clear and the procedures must be intuitive and easy to understand.

The federation of identities: an impact multiplier?

In a federation of identities schema one can think that if the identity of one of the users is compromised, its access to all the applications of the perimeter will be affected. If an incident occurs on the authentication brick, all my users will be affected. The walls inside the SI can be seen as thinner, and the weight carried by the authentication heavier. Thus, the federation of identities can be seen as a factor multiplying the impacts of a possible attack. It is therefore essential to strengthen the security of authentication.
In reality, the federation of identities should rather be seen as a simplifier of the IS, and structural or protocol vulnerabilities are rather rare. Identities and entitlements will be administered centrally, and users will no longer be forced to manipulate a multitude of identifiers and passwords (sometimes auto-synchronized). These projects require a great involvement of all the businesses of the company, but will simplify the user experience and can help to enforce certain security constraints specific to sectors and businesses.

The goal of all is to reconcile security, simplicity and technological innovation, the federation of identity is, and will undoubtedly be, at the heart of the unique authentication in the years to come.

Aircraft equipment manufacturer ASCO Industries, located in Zaventem, is at a standstill. The group, which makes parts for the giants Boeing and Airbus, among others, was a victim of hacking on Friday. And all production at the international level is stopped, in Belgium, but also in subsidiaries in Germany, the United States and Canada. Only on the site of Zaventem, there are more than 1000 people who are unemployed, Tuesday and Wednesday.

Unlike aluminum producer Norsk Hydro, who was hit by a similar ransomware attack earlier this year and provided constant updates about the incident, ASCO has been very quiet about its dealings. The name of the ransomware strain that infected the company’s Belgium plant was not made public.

How MFA can prevent ransomware attacks?

Ransomware is the fastest growing attack-vector targeting all sorts of companies, institutions and organizations. Ransomware is a type of malware that accesses a victim’s files, locks and encrypts them and then demands the victim to pay a ransom to get them back. Ransomware is the digital version of mafia demands for protection money or is like the “digital kidnapping” of valuable data – from personal photos and memories to client information, financial records and intellectual property. Most ransomware gain access through hijacking static passwords and among the best practices to mitigate against such attacks adopting stronger authentication with two-factor authentication is one of the best. Passwords are convenient and tried-and-tested when it comes to securing your online accounts and digital data. However, the major downside is their susceptibility to being stolen using spyware or through trickery. The use of two-factor authentication (2FA), however, is a good defense against account compromise because it adds another layer of protection after your password, usually by combining one factor (your password) with a second factor (a text message/verification code sent to your cell phone number or a push).

Microsoft has released a patch to fill the vulnerability BlueKeep for Windows 7 but also, is unusual, Windows XP. This flaw is taken very seriously to the point of getting out of hinges the US National Security Agency (NSA).

In mid-May, Microsoft issued a security alert for a remote code execution vulnerability with the reference CVE-2019-0708, dubbed BlueKeep. This vulnerability can affect Windows 7, Windows XP, Windows 2003, Windows Server 2008 R2, and Windows Server 2008. Microsoft released a BlueKeep patch for Windows 7 and another patch for Windows XP.

“These reproduction conditions are ideal for the propagation of a worm that looks like WannaCry,”

The publisher strongly recommends that users apply it to the designated systems. Indeed, the code designed to exploit the vulnerability could disseminate a pre-authentication, without any intervention of the user. “These reproduction conditions are ideal for the propagation of a worm that looks like WannaCry,” Microsoft warned. In 2017, WannaCry had disabled millions of computers from a single, very broad-spread attack, infecting machines with ransomware. The NSA fears that this will happen again. “This kind of vulnerability is more and more commonly exploited by attackers who use malicious code that specifically targets vulnerability,” the US security agency wrote. “The vulnerability could for example be exploited to conduct denial of service attacks.”

A code of exploit soon spread on a large scale?

The NSA estimates that in a short time, remote exploit code will be widely available for this vulnerability. The agency fears that hackers are using the vulnerability in ransomware and exploit kits containing other known exploits, thus increasing nuisance capabilities against other unpatched systems.

Although the vulnerability was discovered more than two weeks ago, Microsoft notes that cybercriminals rarely act so quickly. For example, two months elapsed between the discovery of the EternalBlue vulnerability, which had set the stage for WannaCry attacks, and the moment when hackers began exploiting it. “Even though they have about 60 days to update their systems, many customers have not yet done so,” said Microsoft. Naturally, the publisher takes the opportunity to encourage customers to migrate from their old operating systems to its latest Windows 10 system.

Windows 8/10 versions not affected

While the Redmond firm has made the unusual decision to deliver a BlueKeep patch for Windows XP, support for Windows 7 comes to an end next January. “Customers running Windows 8 and Windows 10 are not affected by this vulnerability, and it’s no coincidence that later versions of Windows are not affected,” Microsoft wrote opportunely. “Microsoft is investing heavily in enhancing the security of its products, often through major architectural improvements that previous versions of Windows can not take advantage of.”

The banking industry and online merchants are fighting against fraud by developing fraud detection systems that are increasingly subtle and complex.

Because of our online habits and the number of transactions that are done through the internet, they created the concept of digital identity in order to reinforce the level of online protection. In other words, fraud detection systems created digital fingerprints of real users to better recognize fraudsters. The process is a combination of various elements which help to determine your identity. For instance, before validating an online transaction, they do not just check the number, the validity date and the cryptogram of the credit card. They will also comb through the user’s identity and behavior, using statistical analysis and artificial intelligence. Where does it connect? What time is the purchase? Which browser does he use? In which shop, does he shop? What is his order history? What are the technical specificities of his screen and his computer? Etc. If something does not fit, the transaction is rejected or a manual check is triggered (a call, for example).

On March 14, the banks had to have made available a test API portal dedicated to developers.

Cybercriminals naturally reacted to this manoeuvre. To remain under the radar of detection systems, the fraudster has a fake digital identity that is as close as possible to the owner of the credit card: an IP address of the same country or city, the same browser version, the same screen, the same way of navigating, etc. The ideal is obviously to have the identity of a real person. These identities can be purchased on the Darknet. According to Kaspersky’s security researchers, the largest marketplace of its kind is called Genesis, an invitation-only site with more than 60,000 fingerprints for sale.

But going to these API portals is not easy. Thanks to the investigative work of the JDN who contacted the big French banks to know if they have deployed their portal, the address of it and how many APIs have been put online, we have a global overview of the French banking landscape with PSD 2 opening requirements.

Using a Genesis digital identity is not complicated. Just buy it and load a browser extension provided for this purpose, available for Chromium-based browsers. From that moment on, it’s as if the criminal put on a mask. His online behaviour now impersonates the stolen identity. If the mask is of good quality, it will allow him not to raise an alarm when performing a fraudulent purchase. 

It’s in this context and faced with these impersonations, that the notion of strong authentication becomes relevant. Indeed, it would be sufficient for all transactions to be systematically validated by a second authentication factor in order to make the fraudster of digital identities ineffective in its described form. The notion of strong authentication required by the Payment Services Directive 2, therefore, requires banks to set up a procedure that seems to be the only way to really fight against digital identities fraud.

The world of banks is changing and the European Institutions are leading this revolution, but we decided to ask ourselves a simple question: are banks following this movement? We will first take a look at the French banking system

It all started when the European Union adopted two directives on payment services: the PSD 1 adopted on November 13 2007 and the PSD 2 adopted on November 25 2015. The main objectives of the PSD1 were to harmonize the legal framework for payment and the creation of the SEPA space. The PSD 2, for its part, was introduced as part of the implementation of the connected digital single market (one of the top ten priorities of the EC’s working program for the period 2014-2019). The objective is to foster the opening of the payments market, mainly occupied by banks, to new payment service providers (PSPs) while strengthening the security of users. With the PSD 2, the security of the payment must be reinforced with strong authentication (SCA – Strong Customer Authentication) which requires the use of at least two authentication factors.

On March 14, the banks had to have made available a test API portal dedicated to developers.

Before the full implementation of the Directive (in September 2019), the PSD 2 timetable includes a number of intermediate steps. The last deadlines are those already passed on March 14, 2019 and April 14, 2019. On March 14, the banks had to have made available a test API portal dedicated to developers.

This image has an empty alt attribute; its file name is les-API-des-banques.png

But going to these API portals is not easy. Thanks to the investigative work of the JDN who contacted the big French banks to know if they have deployed their portal, the address of it and how many APIs have been put online, we have a global overview of the French banking landscape with PSD 2 opening requirements.

The respect of the calendar by the French banks must not however hide the fact that quantity does not guarantee quality. The JDN points out that the three main French aggregators are not fully satisfied with the proposed APIs, often because they are incomplete. From a technical point of view, it seems that the account is not there either. TPPs have more demanding criteria than banks when it comes to API.

French banks are following the PSD 2’s demanding API schedule but are not yet at the level of market expectations in terms of quality.

This test period was to last one month. Since April 14, 2019, reminds the Prudential Supervisory Authority, the banks had to provide an “API meeting the conditions of extended use as defined by the security standards and guidelines of the EBA (the French banking authority, editor’s note) “. It would therefore seem that French banks are following the PSD 2’s demanding API schedule but are not yet at the level of market expectations in terms of quality.

It’s been a year now that Google has launched a USB key and a Bluetooth security key to increase the level of security of its users when connecting to online services. These keys use the U2F protocol which ensures that a new authentication key is generated each time a service is connected.

This Wednesday, May 15, the firm reveals on its security blog that a security breach had been discovered on the Bluetooth version of the security keys Titan Low Energy (BLE) and proposes to replace the defective units

Google refers to a misconfiguration in Bluetooth pairing protocols that could allow an attacker physically close (10 meters) to communicate with the security key or with the device to which this key is connected.

The Mountain View firm, however, assures that “For the wrong configuration to be exploited, an attacker would have to align a series of events in close coordination”. The idea behind these explanations is to demonstrate that despite the existence of this security vulnerability, a malicious person should combine a certain number of parameters in order to take advantage of the said fault. In other words, it is unlikely that this flaw was exploited. On the other hand, it is indicated that to exploit this flaw, a malicious actor must also have the username and the password of the target.

Google is trying to reassure its users that “This security issue does not affect the primary purpose of security keys, which is to protect against phishing by a remote attacker,” said Google. Then, continue by saying “Security keys remain the most effective protection against phishing; It is always safer to use a key with this problem than to disable 2-step security-based authentication (2SV) on your Google Account or switch to a less phishing-resistant method (SMS or prompts sent to your device, for example). “The firm also insists that this issue does not affect its USB and NFC security keys, but only the Bluetooth Low Energy (BLE) version of its Titan security key.

To conclude, Google offers a replacement key for all holders of a defective unit with a small “T1” or “T2” brand on the back.

At Google Cloud Next 2019 today, Google announced phones running Android 7.0 Nougat and higher can now double as a Fast Identity Online (FIDO) security key. You can thus use your Android phone to protect your personal Google account, and your G Suite, Cloud Identity, and Google Cloud Platform work accounts. (Android tablets aren’t supported — Google specifically limited the functionality since users are more likely to have phones with them.)

This means Android phones can move from two-step verification (2SV) to two-factor authentication (2FA). 2SV is a method of confirming a user’s identity using something they know (password) and a second thing they know (a code sent via text message). 2FA is a method of confirming a user’s identity by using a combination of two different factors: something they know (password), something they have (security key), or something they are (fingerprint).

Why security keys are superior

Using 2FA means a remote hacker can’t use phishing to trick you into handing over your online credentials. 2SV — entering a code sent via a text, mobile app, or push notification — is better than just using a password. But 2FA via a security key or phone is even better.

“It’s a second thing that I carry around with me wherever I want to login somewhere and I need to prove my identity by having this thing in my hand,” Google product manager Christiaan Brand explains. “But it’s doing something for us. It’s proving that I’m at the correct website at the point in time when I am trying to login. So the solution here really is that security keys prevent you from sending your credentials to a phishing website.”

“You’re trying to sign in, you’re on a site that looks exactly like the real Google; however, your login will not succeed if you use the security key, because the security key will block it as you’re on an incorrect website,” Brand continues. “All other forms of 2SV have levels of assurance that the fundamental problem with them are that you can still fall victim to phishing. You can still be tricked into entering all of your credentials, be it your username, your password, and your one-time password, even approve a mobile login using Postgres technology, because there is no way that your browser on your local machine knows that you’re being duped into revealing your credentials to an incorrect website.”

FIDO security keys prevent your account from being phished by requiring you to plug in and tap your physical device. Google wants to bring those benefits to more people by having Android phones act as security keys.

How Android phone security keys work

Unlike other similar technologies, Google’s solution has a local requirement. “The big difference here is that local proximity,” Brand emphasized. “The fact that your browser on your machine and your phone communicate using a local protocol and does not go via the cloud. All other push-based technology so far is kind of based on the fact that there’s a message being sent throughout the cloud. Here, we’re saying no, the message will be local. And that is essential to this phishing resistance. Having this local protocol between the two devices is what makes this technology strongly resistant to phishing.”

FIDO’s proximity requirement ensures that the user trying to login and the security key are in the same location. With security keys, that is accomplished via the USB port or via Bluetooth. With Android phone security keys, Google chose Bluetooth for convenience purposes.

“Asking the user to have a cable ready that’ll fit both their device and the machine they’re trying to sign in at some point in time almost takes away all the convenience of being able to use your phone,” Brand noted. “The chance that you have your phone there is very, very high. But the chance that you have the exact correct cable is very low. At that point in time, it might just be the same as having to carry around a physical security key.”

Google’s solution uses the FIDO protocol between your computer and phone (CTAP API), and also requires that the browser tells the phone which website the user is viewing (WebAuthn). The company further used the available extension mechanism to build a local proximity protocol on top of Bluetooth. Called cloud-assisted Bluetooth Low Energy (caBLE), the extension doesn’t require pairing, installing an app, or plugging anything in

Using your Android phone as a security key

To use your Android phone as a security key, you will need a Bluetooth-enabled Chrome OS, macOS X, or Windows 10 computer with Chrome 72 or higher. Follow these steps to get started:

  1. Sign into your Google Account on your Android phone and turn on Bluetooth
  2. On your computer, navigate to (you have to be signed into the same account)
  3. Select 2-Step Verification
  4. Click “Add a security key”
  5. Choose your phone from the list of available devices

Everyone will have to go through this process before they can use their Android phone as a security key. (Google plans to run a promotion encouraging Google account users to enable the feature if their phones are eligible to use as a security key.)

Once enabled, the user experience is straightforward. After you type in your password, your phone will prompt you to approve the login. You’ll just have to hit a button on your screen. On Pixel 3 devices, you’ll have to hit the volume-down button, which is hardwired to the Titan M chip — where Google stores your FIDO credentials for that extra bit of assurance.

“Note that the user experience when using your phone as your security key is very simple. It is more or less the same as approving a prompt on your phone, which is a big plus,” Brand told VentureBeat. “Under the covers, however, the phone and computer are communicating with the FIDO CTAP protocol over Bluetooth and the website and computer are communicating with the WebAuthn protocol and this adds the phishing-resistance. This is the crucial and huge additional security boost.”


At Google Cloud Next 2018, Google launched the $50 Titan Security Key, its own take on a FIDO security key. Maybe it’s fitting that Google Cloud Next 2019 makes that security key less useful.

We say less useful because Google still recommends that you use your phone as an additional security key. If you lose your phone, it’s good to have a backup USB key at home, especially if you’re a consumer. An administrator can always reset your work account. If you’re a consumer, however, and you lose your security key, you’re out of luck.

The phone security key solution isn’t limited to any specific geographies because it’s being rolled out via Google Play Services, which is how the company can offer it on older Android devices. It requires Chrome, but because Google built it using open standards, the company hopes other browsers will adopt it as well. The same goes for iOS: Google hopes the functionality will work on Apple’s mobile devices one day too.

But for now at least, the feature can only be used for 2FA on Google accounts. Google has submitted caBLE to FIDO and it’s under review by the working group. Letting other companies use the technology is on the roadmap, but Google wouldn’t commit to a date.


The General Overview for 2019
Small Business Cybersecurity
The Costs of Poor Cybersecurity
Where, When, and How
The Human Element

The worldwide cybersecurity market is expected to reach $167 billion in 2019, and it is only going to grow larger from there, given the number of attacks and the amount of wealth stored online. The line between physical and digital is being blurred more, and criminals are following the money. And often enough, the trail leads to businesses just like yours.

To put the level of growth into perspective, here is the estimated size of the market from 2015 projected until 2023:

Cybersecurity Industry Size By Year

We want to focus on the facts relating to the gravity of the threat and how you can protect your business, however, so let’s get right to it and give you some context on what you should do for your business and what you should generally be aware of regarding cybersecurity:

The General Overview for 2019

While the details are important, first we would like to share with you some statistics that demonstrate just how widespread the global cybersecurity problem is:

  • Hackers can automate attacks through bots, malicious websites, and similar tools. An attack occurs on a computer with internet access every 39 seconds (on average) according to a study by the University of Maryland. Consider how many computers your business uses and do the math on that for a second.
  • On the FBI’s most wanted page, there are 41 cybercriminals. They are wanted for crimes ranging from intellectual property theft to members of well-known cybercrime gangs.
  • According to Business Insider, there will be 24 billion connected (and therefore exploitable) devices installed on the planet by 2020. That will be an estimated 3.2 devices per person living on the planet. How many devices does your business use, and are they all optimally protected?
Device Statistics
  • Gartner reports that global cybersecurity spending will increase to be over $124 billion in 2019, which will be an 8.7 percent increase from last year. There are no expectations that the spending will cease growth in the near future due to increasing government regulations regarding data security as well as consumer concerns.
  • On a governmental scale, cybercrime is considered a constant threat, with the Cybersecurity Risk Determination and Report and Action Plan noting that 25 out of 96 agencies are effectively managing their risk. With that in mind, you will likely not be able to rely on too much government aid regarding cybersecurity. Your business will need to protect itself.
  • This concept is difficult to quantify, but the barriers to entry for cybercrime are getting lower as more tools become available to the average person. More people than ever know how to conduct standard attacks, and as such low-skill (but still dangerous) cybercrime is being attempted more often. The barrier to entry will only become lower as criminal organizations invest in tools that allow anyone off the street to become a cybercriminal in a matter of days, boosting their overall profit.

Small Business Cybersecurity

Small businesses are often easy prey for cybercriminals. They often don’t make cybersecurity a top priority and their limited resources prevent them from putting in place the absolute best practices and programs to protect them. To give you more context, we have some numbers and facts to illuminate the scale of the problem:

The rate of cyber attacks on small business
  • The 2017 Ponemon Report on SMBs sponsored by Keeper showed that 61 percent of businesses experienced a cyberattack in fiscal year 2017 and 54 percent experienced a data breach. Without protection, you’re effectively flipping a coin with your business.
  • According to Small Business Trends, 43 percent of cyberattacks are aimed at small businesses. We would like you to keep in mind the size of the population as well as compared to the number of small businesses in existence. This is a targeted campaign you’re dealing with.
  • According to the Verizon Data Breach Investigation Report, the majority (58 percent) of malware attack victims are small businesses.
  • Cybersecurity Ventures estimates that by the end of 2019 there will be an attack on small businesses every 14 seconds. We also can only expect the rate to go up as more criminals and criminal organizations turn to cybercrime.
  • According to Kaspersky Labs, in 2017 about 26 percent of ransomware attacks targeted businesses. This is especially alarming for small businesses due to the data contained on their devices. An individual user might lose some important files and photos, but a business can lose nearly everything and then some.
  • The 2018 Symatec Internet Security Threat Report also sees a vulnerability regarding the Internet of Things, as there was a 600 percent attack rate increase on devices related to the IoT. You might want to be careful about the vulnerabilities created by devices in your office.
  • In 2017 Ponemon conducted a poll which showed that 70 percent of organizations believed that their security risk increased dramatically that year.

We would like to note, however, that these statistics don’t spell certain doom for your business. They are only trends, and you and other business owners can break them. Your actions and preparations can clearly impact your risk level.

The Costs of Poor Cybersecurity

A successful cyberattack or data breach involving your business can cost you millions of dollars, which could bankrupt your business. Here are some more specific numbers on what lax practices can cost you:

  • joint study from IBM Security and the Ponemon Institute states that the average cost of a data breach globally is $3.86 million. The cost of each stolen record averages at $148. Consider how many records or pieces of sensitive information you are currently protecting.
  • The same study notes that the average cost of a data breach for a U.S. company is $7.91 million.
  • 2018 report from McAfee states that cybercrime currently costs the global market over $600 billion a year.
  • Cybersecurity Ventures notes that the total cost of cybercrime is likely to hit about $6 trillion each year by 2021. To put this number into perspective, this is more than the 2018 nominal GDP of Japan.

Where, When, and How

While your small business is a likely target, how do these attacks occur and what targets are used specifically? What are the more precise factors involved and what types of attacks might you expect? Once you know these facts, you can devote your time and energy to meet cyberattacks head-on:

Malware statistics you need to know
  • Mobile malware is a growing threat, and Symantec’s Internet Security Threat Report for 2018 states that the number of new variants for malware increased by 54 percent over 2017. As smartphones become more advanced, their value to cybercriminals increases, smartphones connected to business accounts especially so.
  • Computer World notes that Windows is the most targeted OS and that 98 percent of mobile malware targets Android phones. We recommend you choose your business’ devices and prepare them with this in mind.
  • Javelin Strategy and Research released a study that noted that there were 16.7 million victims of identity theft. While your business isn’t a direct target of identity theft, you should note that small businesses are often how identity thieves get their information.
  • According to Symantec, in 2017 cybercrime activity related to coin mining increased by over 34,000 percent, in an astonishing trend that seems likely to slow down due to the cooling off of the market but is still a major consideration. For the most part, cybercriminals will be seeking to steal your computers’ processing power, effectively damaging the performance of your equipment.
  • The Verizon Data Breach Investigation Report indicates that 92.4 percent of malware is delivered via email. To protect your business, email security and email security investigation is vital.
  • According to Wipro, health care was the most targeted sector of all industries, with 40 percent of breaches. The trend is upwards, as cybercriminals are further realizing the potential profits to be made from health records and similar files.
  • Another factor to consider is dwell time, which is the time a cybercriminal has access to your systems before being flushed out. In the Americas, the 2017 dwell times averaged 75.5 days according to FireEye. In this period, a cybercriminal would easily be able to gain access to everything and start to notice patterns about your business, opening it up for future exploitation.
  • FireEye also notes that businesses that were targeted successfully previously were often attacked again the next year. Cybercriminals remember easy marks.
  • Fileless attacks, which virus scanners and other types of protection aren’t as useful with, are becoming more prevalent. Ponemon estimated that fileless attacks would comprise about 35 percent of all attacks in 2018.

It should be noted that while these are the current trends, a change in the market or a breakthrough in either cybercrime or cybersecurity (and the two are heavily related on a research standpoint) can create a new set of targets, so keep up to date on these statistics.

The Human Element

Unless every employee is trained in proper cybersecurity practices, your entire business is at risk. Most cybercrime doesn’t necessarily occur through hacking and computer work as shown in the movies. Consider most cybercriminals one-part hacker and two-parts con artist, using social engineering and confidence tactics to get inside your company. Here are a few more statistics on the matter:

  • According to the 2017 Verizon Data Breach Investigations Report, insiders (whether malicious or neglectful) are responsible for about 25 percent of data breaches. This number is far too high when you should be able to trust employees to act in your business’ best interest. Be wary of disgruntled or soon to depart workers.
  • The same report notes that weak or stolen passwords (nearly always a preventable occurrence) were responsible for over 80 percent of the hacking related breaches that took place.
  • According to Wombat Security, 76 percent of businesses reported phishing attacks happening within the last year. These are the attacks most likely to involve your employees and human error, and they’re bound to happen to your business as some point.
  • The 2018 PwC report notes that only 53 percent of businesses require employees to be trained on privacy policies.
  • The 2017 SMB Ponemon survey reports that 60 percent of small businesses are finding that attacks are becoming more sophisticated. This means your employees will need to be able to match this and become aware of these advanced tactics.

The best way to train your employees will depend on their learning styles, the size of your business, and a variety of other factors. Simply make your main goal to make sure and don’t neglect new team members regarding this matter as they come in.


It’s possible you might be wondering how your business can possibly protect itself at this point, but you should know that there absolutely are options to protect yourself and strategies you can use to make sure your business thrives and doesn’t become another cybersecurity statistic.

You likely have a few of these steps in place already, but here are a few things you can do to start making your business safer online:

  • First off, you’ll have to deal with the human error factor before anything else. If your employees can be conned, there is nothing else you can do and it’s only a matter of time until you’re dealing with a data breach. Create an action plan and train your employees until basic vigilance regarding cybersecurity is second nature.
  • Make sure your websites, data centers, computers, smartphones, and other devices have the proper protections in place. Freeware isn’t the way to go here, and there are plenty of affordable options to protect your digital assets if you take the time to look for them.
  • Secure WiFi networks and devices, and be wary of things such as bring your own device policies that can bring in malware or threats to your business under the radar. Effectively, minimize the potential for programs and files to get through your other defenses via human delivery (intentionally or unintentionally).
  • The previously mentioned FireEye report notes that breaches discovered internally had a far less average dwell time than breaches first discovered externally. You need to be regularly scanning and monitoring your data, noticing any anomalies. A bit of preparation now can save your business a great deal of trouble in the long run.
  • Don’t be complacent in your current measures. Even if you already have systems in place, you’re going to need to adapt them regularly. When was the last time you checked if your business’ antivirus solution was the best choice? Whether the scams you’re preparing for are actually used by cybercriminals today?

The above strategies don’t cover everything you need to do to protect your small business. That would require not only an article all its own but for a book. To protect yourself, we cannot stress enough (and we will repeat this several times) the research and work required on either your or an IT professional’s part to keep your business safe. It’s an investment, but a necessary one.

We would also like to note that every business is unique and will have unique cybersecurity needs. As such, you won’t be able to give yourself a few blanket protections and call it a day. Instead, you will either need to combine your knowledge of how your business operates with detailed research or otherwise bring in a professional (and then listen to them).


These statistics can be alarming, but we would be more concerned if you didn’t find them alarming. The web is getting increasingly dangerous for the unaware and cybercrime is getting more profitable over time. Remember that in most cases cybercriminals will go after the weakest target or a weak point in your businesses. If you take the steps required to protect yourself and your business, you will be able to conduct business without fear.

We recommend creating an action plan or hiring a cybersecurity expert, depending on the size of your business. We also encourage you to educate yourself on further cybersecurity matters (any advice given here is the tip of the iceberg) and to keep up to date with developments as well. The cybercriminal element never rests for long, and you will need to remain vigilant.

We hope that the above information allows you to better protect yourself through 2019 and beyond, and we encourage you to have discussions on the topic and share this with your friends and partners. If the people around you are safer online, you will be safer as well.

View source article at

Google’s Android operating system is now certified to employ the FIDO2 open authentication standard, a development that could help owners of more than a billion Android devices phase out the use of passwords when logging in to online services.

As an alternative to potentially insecure passwords, FIDO2 instead offers the option of using fingerprints or FIDO security keys to log into browsers, websites and apps that support FIDO2 protocols. As a result of the certification, devices operating on Android 7.0 or higher will be FIDO2-enabled either out of the box or after an automated Google Play Services update.

FIDO2 is comprised of both the World Wide Web Consortium’s (W3C) web authentication specification and FIDO Alliance’s Client to Authenticator Protocol (CTAP).

“Google has long worked with the FIDO Alliance and W3C to standardize FIDO2 protocols, which give any application the ability to move beyond password authentication while offering protection against phishing attacks,” said Christiaan Brand, product manager at Google in a press release. “Today’s announcement of FIDO2 certification for Android helps move this initiative forward, giving our partners and developers a standardized way to access secure keystores across devices, both in market already as well as forthcoming models, in order to build convenient biometric controls for users.”

“FIDO2 was designed from day-one to be implemented by platforms, with the ultimate goal of ubiquity across all the web browsers, devices and services we use every day,” said Brett McDowell, executive director of the FIDO Alliance, in the same press release. “With this news from Google, the number of users with FIDO Authentication capabilities has grown dramatically and decisively. Together with the leading web browsers that are already FIDO2 compliant, now is the time for website developers to free their users from the risk and hassle of passwords and integrate FIDO Authentication today.”


Cloud is a great thing to have, an endless source of computing power at anyone’s finger tips, a relentless work horse on which to offload nearly any task, at any time and from anywhere. But as it goes with basically anything in IT landscape, cloud is not a silver bullet for everything and your corporate identity might be one such, what the recent Azure MFA downtime demonstrates.