In recent months, you may have noticed an uptick in two-factor and multi-factor authentication prompts, which are being used to verify consumer and business accounts. These tools are gaining more traction to help consumers and businesses protect against identity fraud, data breaches, password skimming, and phishing\/ransomware attacks.\n\nRecent stats from the Identity Theft Resource Center (ITRC) show that about 92% of data breaches are cyber-attack-related, and data breaches in Q1 2022 were 14% higher than the same period in 2021.\n\nThe ITRC stats also show that in Q1 2022 alone, nearly half (154 of 367) of data breach notices didn\u2019t include the nature of the breach and were designated \u201c\u2018unknown\u201d. This \u201cunknown\u201d amount was 40% higher than the \u201cunknown\u201d data breach causes for all of 2021.\n\nSo how can CISOs prepare their firms to thwart these cybersecurity attacks? They must stay on top of emerging technologies to combat evolving threats, system vulnerability, and bad actors, adapting to constantly changing circumstances.\n\nCyber hacks in 2022\n\nAlready, this year has proven to be full of corporate security exploits. One well-known group referred to as Lapsus$, operating out of South America, has committed several cyber hacks. The group was confirmed to be the perpetrators in the attacks against NVIDIA, Samsung, T-Mobile, and Vodafone.\n\nIn the T-Mobile case, Lapsus$ members hacked into T-Mobile\u2019s network in March 2022 by compromising employee accounts, either via phishing or another form of social engineering. Once within the T-Mobile database of customer accounts, the cybercriminals sought to find T-Mobile accounts connected to the US Department of Defense and the FBI.\n\nLapsus$ also claimed responsibility for a cyberattack against Microsoft. The software giant confirmed that its internal Azure DevOps source code repositories and stolen data were hacked via an employee\u2019s account but added that only limited access was granted.\n\nAnother recent breach took advantage of a company\u2019s sales team via social engineering. A cybercriminal who pretended to be a member of the company\u2019s corporate IT department reached out to the organization\u2019s salespeople with requests for CRM log-in credentials. Ironically, this request was made under the guise of installing additional layers of security for the users and their critical systems to become more secure.\n\nUnfortunately, at least one salesperson fell for the ruse, and the criminals were able to access their credentials, gain access to the company\u2019s CRM system, and download targeted portions of the customer database. \n\nThese types of attacks are becoming more common and are more difficult to solve given traditional access control methods.\n\nImplementing multi-factor authentication\n\nFor CISOs, it\u2019s become imperative to\u00a0implement two-factor authentication (2FA) \u2013 at a minimum \u2013 for access to all computers, servers, infrastructure services, and business applications. Adding 2FA is helping keep hackers and cybercriminals at bay, preventing them from gaining access to systems. Although even these solutions can be circumvented by clever techniques.\n\nSome companies use physical security keys for an additional layer of data protection. For example, physical security keys can help halt phishing attacks when multi-factor authentication is available. They are available in several formats, are easy to use, and generally are an inexpensive means for protecting data security. \n\nOther security measures that leverage existing employee devices have been introduced to combat the example above of the unsuspecting salesperson giving system log-in credentials away. For example, one company has developed a user and transaction specific QR code\u2013 a Nametag* code\u2013 that is matched to all employees in the company, including IT administrators. If a person in the company gets a request to share log-in details or some other critical data, this dynamic code verifies the request \u2013 the identity, intent, and permission to complete the transaction are all verified and approved. Without it, the request is not valid.\n\nSolving the password problem\n\nHow do we solve the user password problem? Are technology solutions the answer? For example, can IT pros heighten data security by linking a person\u2019s username\/password to the physical proximity of their device? And are deeper levels around training, management, and user behavior necessary?\n\nOpportunity abounds for innovation. A few start-ups are tying together behavioral biometrics for IT identity management* purposes. The platform assesses several factors about individuals, for instance, how a user walks, speaks aloud, types on their keypad, or moves a mouse. Individually, these factors might not be sufficient to confirm a user's identity. But when several of these are combined, these characteristics can create a unique biometric that identifies a user with nearly 100% accuracy.\n\nIn an increasingly remote\/hybrid work and volatile world, CISOs must protect access to data in multiple ways and strive to:\n\nWith malevolent external forces on the rise and the war in Ukraine creating additional IT security pressure, it is paramount for CISOs to ensure that this most basic form of access is vigilantly guarded against new and ever-evolving security risks.\n\n*Disclosure: Glasswing is an investor in these cybersecurity startups.