Jump to main content

CU Minute

It’s Hard to Go Phishing with No Phish in the Pond

Author: Brian Nowak, Information Technology Director

Corporate Central has a strong focus on technology. Some of our technological initiatives are very visible and outward facing. However, there’s a lot that goes on behind the scenes that no one outside the organization ever hears about. I’d like to take this opportunity to talk about one of these changes.

IT departments have many things that keep them awake at night, security being at the top of the list. The current threat landscape doesn’t help. It’s common to hear so and so’s email was compromised, or XYZ company got hit with ransomware. It’s no secret that end users are the biggest threat to any organization. Member service teams want to help members; sales are looking forward to the next opportunity; and finance is busy making sure the numbers match. None of them have information security as their top priority.

I know that Corporate Central employees are among the best out there. However, we still run into the same challenges as other organizations when it comes to information security. One of the IT department’s goals for 2023 was to reduce the end user risk by eliminating passwords. That’s right - get rid of our staffs’ need and reliance on remembering a password, wherever possible. I would love to say that we have achieved 100% passwordless authentication, but there are some applications, processes, or systems that have just not caught up with that requirement yet. However, almost all our systems and our users no longer have a password that they know.

Our systems are designed to allow passwordless authentication via several different methods. It could be a security key, like the one used for Beastro, Windows Hello for a computer, or Microsoft Authenticator for a mobile device. Usually, any one of those options can be used for authentication into any of the systems. It really depends on the user’s preference and what the system will allow. We have been using forms of passwordless authentication for some time, but password fallback had remained an option.

I admit I was a little unsure what was going to happen when we told our staff that we were taking away their passwords. The announcement went out and it was anxiety inducing. However, most realized that they had already been using passwordless options so often that they forgot their current password. Music to my ears! After we ensured that everyone had all forms of passwordless authentication set up, we started changing everyone’s passwords to random information and didn’t document it anywhere.

A few months later, and there have been few, if any, issues. There are a few more steps to accommodate new employees, or when a user no longer has access to one of the methods they primarily use for authentication. However, the Corporate Central staff did not skip a beat.

We still phish test our users regularly. Employees are trained to not click on links in suspect emails. Nevertheless, if it does happen, we hear, “I knew right away it was not legitimate because I was being asked for my password.”

Going passwordless did not eliminate the risk that end users pose to the organization, but it could be the one change needed to prevent that negative, newsworthy event from happening. There are plenty of tools out there to facilitate going passwordless within your organization. It is certainly worthwhile making it a priority to reduce that end user risk.

If you’re intrigued and would like to learn more about how Corporate Central went passwordless, I’m happy to discuss our process. Contact me at support@corpcu.com.

Our Family of CUSOs

 Interlutions CUSO Think|Stack logoQuantify CUSO