A leading cyber security expert has said new figures from the UK government validate the need for businesses to end the use of passwords to protect their systems from cyber-attack.

Nic Sarginson, Principal Solutions Engineer at Yubico, said research has found that people often use the same password for multiple systems leaving all vulnerable to fraud. He added firms should move to a system of Multi-factor authentication (MFA).

MFA is an electronic authentication method in which a device user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism.

Mr Sarginson’s comments came as Department for Digital, Culture, Media and Sport (DCMS), issued a report which found Two in five businesses (39 per cent) and a quarter of charities (26 per cent) report having cyber security breaches or attacks in the last 12 months.

The Cyber Security Breaches Survey 2021 report also showed the cyber risk to organisations has been heightened because of the pandemic, which has made securing digital environments more challenging as organisational resources are diverted to facilitating home working for staff.

Digital Infrastructure Minister Matt Warman said: “The pandemic has taken an unavoidable toll on British businesses but we cannot let it disrupt our high cyber security standards.

“With more people working remotely it is vital firms have the right protections in place, and I urge all organisations to follow the National Cyber Security Centre’s expert guidance so we can build back better and drive a new era of digital growth.”

The new data showed fewer businesses are using security monitoring tools to identify abnormal activity which could indicate a breach – suggesting firms are less aware than before of the breaches and attacks staff are facing. The figure has dropped five per cent since last year to one in three firms (35 per cent). Only 83 per cent of businesses have up-to-date anti-virus software – also down five per cent from the previous year.

The most common breaches or attacks were phishing emails, followed by instances of others impersonating their organisation online, viruses or other malware including ransomware.

Where a breach has resulted in a loss of data or assets, the average cost of a cyber-attack on a business is £8,460. This figure rises to £13,400 for medium and large businesses.

The figures also revealed nearly half of businesses (47 per cent) have staff using personal devices for work, but only 18 per cent have a cyber security policy on how to use those personal devices at work. Less than a quarter of businesses (23 per cent) have a cyber security policy covering home working.

Despite the challenges of the pandemic, cyber security remains a high priority for business leaders. More than three quarters (77 per cent) of businesses say cyber security is a high priority – up 12 per cent from the 2016 report.

Yubico has worked with the UK government in online fraud protection and counts Google amongst its commercial clients. Mr Sarginson said the results highlight the need for firms to look to ways in which they can enhance the security of their systems, and passwords remain a major issue.

“Businesses still rely heavily on passwords for security, despite the fact that passwords are increasingly ineffective against modern cyber-attacks,” he explained. “In fact, research shows that people reuse their passwords across an average of ten personal accounts, while ‘123456’ still topped the list for the most common password in 2020.

“British businesses need to adopt different forms of authentication and embrace passwordless as the future if they want to protect their assets. Microsoft has long been championing the benefits of passwordless and believes passwords will soon be obsolete. Unfortunately, businesses fall into the trap of sticking with passwords because there are benefits like portability, compatibility, and interoperability. Plus, everyone is used to them.

“Luckily, there are passwordless options that cover all of the benefits of passwords while also increasing security and usability, like biometrics and hardware security keys. In fact, Google uses security keys to protect over 85,000 of its employees, leading to zero confirmed account takeovers. The results are clear and it’s good to see the Government highlighting the problem, with the National Cyber Security Centre advocating the implementation of MFA and a move towards passwordless.”

“Transitioning to passwordless won’t happen overnight, but it is a journey that businesses need to embark on. This report should be a wake-up call to businesses that if they don’t start this journey, they’ll be one of the two in five that get cyber attacked,” added Mr Sarginson.