The Secret to Google's Security

BY Alex Bassett / ON Apr 07, 2022

Catch Of The Week

Did you know that Google has never been the victim of a successful phishing attack? Not bad for a company of 140,000 staff and counting.

2021 saw the amount of phishing attacks double year on year, in addition to a large increase in the number of brands being directly targeted!

So just how do Google do it?

“At Google, we take your privacy and security very seriously.”

Well, the good news is it’s a simple, yet effective formula, and by following in their footsteps, your business could be well on the way to being more secure than the vast majority!

1. Implement two-factor authentication wherever you can!

As any security professional will tell you - it’s significantly more difficult to breach an account with two-factor authentication enabled.

Adopting 2FA is a well-known, popular and effective strategy to help us create an extra barrier between your business and cybercriminals to really increase the security and privacy of our accounts.

Two-factor authentication is a combination of two of the following factors:

  • Something you know (such as a password)
  • Something you have (phone or other device)
  • Something you are (iris or fingerprint)

Get started by listing your most critical services vital to keep your business running, and switch on mandatory 2FA on these services. Email providers are a great place to start.

Once your team is accustomed to using 2FA, roll it out everywhere it’s available.

Cybercriminals target businesses of all sizes. If a hacker gets into your administrator account, they can see your email, documents, spreadsheets, financial records, and more.

A hacker could steal or guess a password, but they can’t reproduce something only you have.

Your company probably will be implementing two-factor authentication shortly – or if not, you may well wish that you had.

However, be aware that many 2FA methods can still be compromised by a determined hacker, which is why it is vitally important that you don’t rely on 2FA alone!

For example, an attacker could set up a phishing website called badtwitter.com, and have it proxy traffic to twitter.com, providing access to the real website, the user now logs in using their credentials and 2FA, and voila, you’re logged in. Since the attacker is intercepting the data via badtwitter.com, they can now steal the session cookie that you were assigned after your successful login and hijack your session.

2. Use a corporate password manager!

Bad news - your credentials for a large number of sites will have already been compromised.

Password reuse is a big security risk, it means that if anything you use gets hacked, they could now have the credentials for systems with much more sensitive data.

This is a great starting point for cyber-criminals who bank on people reusing the same password across multiple sites.

By getting your staff using a password manager you’re ensuring each password is unique, complex and randomly generated - and much more difficult to crack!

You can also look at rolling out an enterprise grade password manager like BitWarden, which helps maintain centralised password discipline across your company.

Bitwarden offers the easiest and safest way for teams and individuals to store and share sensitive data from any device.

Bitwarden works with almost any device and browser you can mention: Windows, Mac, Linux; iOS and Android; Chrome, Firefox, Safari, Edge, and many more niche browsers.

Check it out here: https://bitwarden.com/help/create-bitwarden-account/

3. Utilise hardware tokens!

As internet powerhouse Google continues to boast its extremely impressive record, some wonder what their real secret is to their security success?

The answer is simple in truth, Security Keys.

Google has never been the victim of a successful phishing attack, since introducing company-wide policy requiring over 85,000+ employees to use physical security keys.

Security keys use public key cryptography to verify a user’s identity and URL of the login page ensuring attackers can’t access your account even if you are tricked into providing your username and password (Such as in our earlier example).

They can efficiently differentiate legitimate sites from malicious ones and block phishing attempts that SMS 2FA or one-time password (OTP) verification codes would not.

Many different types of hardware keys exist such as the Google Titan Security key, and the world-renowned yubikey.

You can check them out here; https://cloud.google.com/titan-security-key, and here, https://www.yubico.com/.

With passwords being the root cause of over 80% of data breaches and Up to 51% of passwords being reused, it makes total sense to incorporate Hardware tokens into every level of your business!

Hardware tokens are as close to a silver bullet as you can get in cybersecurity - but it can be a bit of a behaviour shift for employees..

Social Media giant Twitter recently followed in Google’s tracks by implementing a company wide security key policy, and they said that in order to encourage wider use, they made it clear that employees would be allowed to keep their security keys even after they leave the company. This encouraged their employees to use their new security keys to protect their personal accounts. Better protection for employees prevents those accounts from being used to compromise twitter.

So there we have it!

A combination of 2-Factor-Authentication, Password Managers and Security Keys is the formula that makes Google so resilient to phishing attacks, and helps keep them secure all year round!

We hope to see the industry-wide adoption of security keys in the near future!

“Wider usage of security keys promotes a more secure web for everyone.” - Nick Fohs, Twitter