Security-First Culture (SFC) is an organization-wide commitment where security considerations influence decision-making at every level, from strategic planning to daily operational tasks. 

It’s not just about having fancy tech or a dedicated IT team; it’s about making security a core part of how the company thinks and acts. A mindset where every decision, from coding a new app to sending an email, considers “How could this go wrong, and how do we protect against it?”.  
 
Leaders set the tone by prioritizing security, allocating resources, and weaving it into the company’s strategy. Every employee, regardless of their role, understands that they play a critical part in the organization’s security posture.    

Main Principles of Security-First Culture 

1. Proactive Risk Management. Teams don’t wait for incidents to happen. They actively identify, assess, and mitigate risks before they materialize into threats. 

2. Continuous Learning and Adaptation. Threats evolve, so should your people and your strategies. Regular training, updates, and process improvements are standard practice. 

3. Transparency and Communication. Open dialogue about security concerns, incidents, and best practices creates an environment where problems are addressed quickly. 

4. Security by Design. New products, services, and processes are developed with security considerations built-in from the beginning. Security supports innovation; it doesn’t block it. 

5. Data-Driven Decision Making. Security decisions are based on threat intelligence, risk assessments, and measurable outcomes rather than assumptions or gut feelings. 

The principles sound sensible but quite challenging to implement. Transferring to SFC might look like an organizational revolution demanding changes on all levels, from the leadership mindset to everyday practices. And of course it must be quite a recourse-consuming adventure. Is the outcome worth it?  

Benefits of Security-First Culture 

The advantages of implementing SFC extend far beyond just preventing cyberattacks. But the straightforward outcome of suffering less breaches must certainly be considered. Verizon’s 2022 Data Breach Report says 82% of breaches involve human error, so a security-minded workforce can slash that risk. 

Fewer breaches mean less damage: financial, reputational, operational. Preventing even one incident can save millions: the average cost of a data breach exceeded $4 million back in 2023, according to IBM.  Besides, if an attack does happen, a prepared organization bounces back faster, minimizing damage and downtime. 

Customers, partners, and stakeholders have greater confidence in organizations that demonstrably prioritize security. This translates to stronger business relationships and competitive advantages. 

Less obvious but no less valuable benefits include:  

• Improved Operational Efficiency: When security practices are integrated into daily workflows, they become second nature, reducing friction and improving overall productivity. 

• Regulatory Compliance: A security-first approach makes compliance with various regulations (GDPR, HIPAA, SOX, etc.) more straightforward and less costly. 

• Innovation Enablement: Paradoxically, strong security foundations enable organizations to innovate more freely, knowing they have robust safeguards in place. 

• Employee Empowerment: When staff feel confident handling threats, they’re more engaged and take ownership of their role in security. 

SFC Champions and Those Who Paid the Price 

Several organizations have become benchmarks for security-first culture: 

Microsoft: Following significant security challenges in the early 2000s, Microsoft implemented their “Security Development Lifecycle” and “Assume Breach” philosophy, fundamentally transforming their approach to security.  
 
Google: Their “BeyondCorp” zero-trust security model and continuous security innovations demonstrate a deep cultural commitment to security. 

Apple: Known for privacy-by-design principles and strong encryption standards across all products and services. 

Not every company gets it right (providing us with impressive and didactic examples). These high-profile disasters could’ve been mitigated with a stronger SFC: 

Equifax (2017): A failure to patch a known vulnerability led to a breach exposing 147 million people’s data. A lack of proactive monitoring and employee awareness was a key factor. 

SolarWinds (2020): A supply chain attack compromised multiple organizations. Inadequate security training and siloed responsibilities left gaps that attackers exploited. 

AT&T (Multiple breaches 2023-2024): Repeated incidents affecting millions of customers demonstrate ongoing security culture deficiencies despite previous breaches. 

Evaluating Your Current Security Culture 

Here’s how to understand where you stand: 

Cyber Threat Intelligence as a Pillar of Security-First Culture 

Cyber Threat Intelligence (CTI) isn’t just a technical capability — it’s the nervous system of a security-first culture. CTI provides the contextual awareness that transforms reactive security measures into proactive, strategic defense.  

Like security-first culture permeates and consolidates every organizational unit and structure, state-of-the-art CTI vendors like ANY.RUN offer solutions to cover security-related challenges on all business levels.  

CTI for Enriching Cyber Threat Investigations and Response 

Daily security operations rely on CTI to prioritize alerts, contextualize incidents, and guide response efforts. Instead of treating all security events equally, intelligence helps teams focus on genuine threats.  

Threat Intelligence Lookup allows employees of any grade to utilize a vast database of fresh Indicators of Compromise (IOCs), Behavior (IOBs), and Attack (IOAs) to instantly collect context for alerts, incidents, and campaigns. The data is continuously updated and derived from the attacks on over 15,000 companies using ANY.RUN’s Interactive Sandbox for hands-on investigations of malware and phishing attacks. 

An employee does not have to be a security expert to make a search request like a suspicious IP address and receive an instant verdict that the notorious banking stealer Lumma might have penetrated the perimeter:   

TI Lookup enables teams to quickly gather critical threat context, transforming existing indicators tin actionable insights into the threat to hand to mitigate risks and protect the organization. 

CTI for Proactive Threat Monitoring 

When it comes to tactical implementation, security tools and controls are configured based on current threat intelligence, ensuring defenses remain relevant as the threat landscape evolves.  

Threat Intelligence Feeds provided by ANY.RUN deliver up-to-date curated indicators of compromise like URLs, domains, and IPs, enriched with threat context, to integrate with detection and monitoring systems and identify threats before they become incidents. 

CTI For Early Detection of Malicious Files and URLs 

Smart threat intelligence solutions improve employees’ ability to make better security decisions in ambiguous situations. ANY.RUN’s Interactive Sandbox makes it possible to analyze any suspicious link, email, or file, and not just get a malicious/benign verdict, but to understand malware’s behavior as well as its operators’ TTPs. 

Thanks to interactivity, the sandbox makes it possible to engage with the environment and the threat just like on a standard desktop, detonating every stage of the attack to reveal the final malicious payload. 

As we can see, the Sandbox file analysis exposes its malicious behavior and labels it as AsyncRAT trojan. 

The intuitive interface of the sandbox simplifies malware analysis for junior security professionals and even non-specialists, providing them with a clear understanding of any threat.   

Sign up for ANY.RUN’s Interactive Sandbox with a business email 

CTI For Improving Security Strategy 

In strategic planning, CTI informs long-term security investments by identifying emerging threats and industry-specific risks. When planning business expansion, drafting a security budget for the next quarter, or gathering information on the key cybersecurity risks, it provides crucial context about the current threat landscape. 

ANY.RUN’s TI Reports contain manually collected intel on APTs, as well as malware and phishing campaigns that pose a danger to businesses right now. The reports help security teams gain greater visibility into the threats active at the moment and proactively defend their infrastructure. 

Step-by-Step Algorithm to Deploy SFC 

1. Assess Current State: Survey employees, audit processes, and measure metrics like phishing click rates to identify gaps. 

2. Develop Security Strategy: Align security with business goals, like customer trust or operational continuity. Create comprehensive plan addressing people, process, and technology. Establish policies and security rules (e.g., password standards, MFA use) and integrate them into workflows. 

3. Train Employees and Implement Tools: (firewalls, encryption, threat intelligence solutions, and monitoring systems to support human efforts). 

4. Measure and Iterate: Track KPIs (e.g., incident response time, training completion) and refine strategies based on results. 

5. Review Regularly: Conduct quarterly audits and update tactics to address new threats. 

6. Celebrate Successes: Recognize and reward security-positive behaviors. Share knowledge and learn from security community.  

Final Thoughts 

A security-first culture isn’t just about tech — it’s about people, processes, and a shared commitment to staying safe. By embedding cyber threat intelligence into every step, from leadership to daily operations, organizations can stay ahead of attackers, protect their data, and build trust with customers.  

Organizations that successfully implement security-first culture supported by robust threat intelligence capabilities don’t just survive in today’s threat environment. They thrive, using their security posture as a foundation for innovation, growth, and competitive advantage. 

About ANY.RUN  

Over 500,000 cybersecurity professionals and 15,000+ companies in finance, manufacturing, healthcare, and other sectors rely on ANY.RUN. Our services streamline malware and phishing investigations for organizations worldwide.  

• Speed up triage and response: Detonate suspicious files using ANY.RUN’s Interactive Sandbox to observe malicious behavior in real time and collect insights for faster and more confident security decisions.  

• Improve threat detection: ANY.RUN’s Threat Intelligence Lookup and TI Feeds provide actionable insights into cyber attacks, improving detection and deepening understanding of evolving threats. 

Start 14-day trial of ANY.RUN’s solutions in your SOC today 

The post A Guide to Developing Security-First Culture Powered by Threat Intelligence  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

On this here blog of ours we constantly write about all sorts of cyberattacks and their devastating effects — from cryptocurrency theft to personal data leaks. Yet there’s a different category of high-profile hacks: those where the hackers aren’t after money, but instead pull off silly stunts that are mostly harmless enough and just for fun (though some (one in particular — the Ecovacs hack, below) could be more serious than others). Today, we tell you about five of these and discuss the lessons we can learn from them…

“They’re everywhere!” When traffic lights talk to you in the voices of Zuckerberg and Musk

In the spring of 2025, unknown individuals hacked crosswalk buttons on traffic lights across Silicon Valley. These audio-enabled buttons are widely installed on pedestrian signals across the United States. As you might expect, they’re designed for people with visual impairments: their main purpose is to play voice messages that help pedestrians who can’t see well understand when it’s safe to cross the road.

The unknown individuals replaced the standard voice messages on crosswalk buttons in several Silicon Valley towns with their own — featuring AI-generated imitations of the ubiquitous tech-billionaires Mark Zuckerberg and Elon Musk. Videos recorded by local residents show the hacked buttons playing the messages.

In a voice imitating Mark Zuckerberg: “It’s normal to feel uncomfortable or even violated, as we forcefully insert AI into every facet of your conscious experience. I just want to assure you, you don’t need to worry because there’s absolutely nothing you can do to stop it.”

In a voice imitating Elon Musk: “You know, they say money can’t buy happiness… I guess that’s true. God knows I’ve tried. But it can buy a Cybertruck and that’s pretty sick, right? F***, I’m so alone.”

Another message in a simulated Musk voice: “You know, people keep saying cancer is bad, but have you tried being a cancer? It’s f****** awesome. Call me Elonoma. Heh-heh-heh.”

The billionaires’ voices were clearly AI-generated, but exactly how the hackers managed to breach the traffic light audio buttons remains unknown. Security experts have noted, however, that default passwords are often used when connecting these kinds of buttons, and nobody bothers to change them after installation.

It looks like no one was hurt by the prank – except maybe the billionaires’ pride.

In Illinois, students learn a key lesson: never forget about Rick

On the last Friday of the 2021 school year, all the TVs and projectors in classrooms across six schools in Cook County, Illinois, turned on by themselves. A message appeared on the screens: “Please remain where you are. An important announcement will be made shortly.” A five-minute countdown timer was displayed below the unsettling message…

Five minutes later, 500 screens simultaneously started showing the famous Rick Astley video for Never Gonna Give You Up. Later that same day, the song played again over the schools’ public address systems.

The hackers behind this surprise pop… classic’s airing were four American students, and what they did was pull off one of the biggest Rickrolls in history that day. A Rickroll is a popular online prank where an unsuspecting user is sent a seemingly important or exciting link, only to be redirected to the video for English singer Rick Astley’s 1987 hit, Never Gonna Give You Up. Rickrolling achieved cult status back in 2007 after spreading on the 4chan imageboard.

Let’s get back to the four students. Their massive Rickroll was a hi-tech twist on a classic American tradition known as the senior prank: basically, a good-natured prank pulled by high-school, college, or university seniors before graduation.

However, the four Illinois students clearly took it to a new level. To pull off their Rickroll, they exploited fairly basic vulnerabilities in the school’s infrastructure. For example, the pranksters gained access to the system controlling hundreds of projectors and TVs across the entire school district because the default usernames and passwords hadn’t been changed after setup.

Similarly, the students were able to log into the schools’ audio public address systems. The person who originally configured the PAs diligently changed the default system password to the one provided as an example in the user manual, which of course was available online. While they were at it, the hacking team discovered an administrator account with “password” used as the password.

It’s worth highlighting just how responsibly the hackers approached the whole operation. Before carrying out the Rickroll, the prankster team prepared a detailed 26-page report, which they sent to the school administrators immediately after the incident. In it, the students thoroughly described their actions and provided recommendations for improving the schools’ cybersecurity. Additionally, once the Rickroll was over, the script they wrote restored the school systems back to their original state.

We always knew: the rise of the machines would begin with robot vacuums

Last year, reports surfaced online about a series of hacks targeting Chinese-made Ecovacs Deebot X2 robot vacuums in cities across the United States. Pranksters assumed control of the robots’ movements and shouted expletives through the built-in speakers. Additionally, they could spy on the owners through the integrated cameras.

The story seemingly had its beginnings at the DEF CON 32 hacker conference, where cybersecurity researchers Dennis Giese and Braelynn Luedtke presented their talk, Reverse engineering and hacking Ecovacs robots. The presentation described vulnerabilities they’d discovered in Ecovacs robot vacuums and lawnmowers, as well as methods for exploiting them. As part of their study, the researchers were able to gain remote access to the built-in microphones and cameras and control the vacuums’ movements. We previously covered their work in detail in our post Ecovacs robot vacuums get hacked.

(By the way, during their presentation at DEF CON, Giese and Luedtke themselves became the target of a hacker prank: a member of the audience managed to take control of the presenter’s clicker and spent several minutes messing with the speakers by randomly flipping through their slides.)

Giese and Luedtke reported their findings to the vendor in a responsible manner. Ecovacs engineers attempted to patch the vulnerabilities, but didn’t have much luck. Several months after the report went out, unknown tech enthusiasts, likely inspired by the study, were able to recreate the techniques described in it to execute a series of attacks on other people’s robot vacuums. For example, in one such attack in California, a robot chased the owner’s dog around the house while shouting obscenities.

The exact number of victims from this series of hacks remains unknown, as it’s plausible that the pranksters didn’t always make their presence obvious — they might have simply observed the vacuum owners’ lives. That, clearly, would have been a very serious infringement of those owners’ privacy – and could in no way be described as mere “fun and games”; neither could this: what if Ecovacs lawnmowers are next?

Lizard Squad “breaking free”: a defacement free redesign of Lenovo’s website

Here’s another playful attack by teenagers, this time targeting Lenovo. A decade ago, the computer manufacturer’s website was hacked. Visitors were redirected to a slideshow featuring photos of bored-looking adolescents, presumably the hackers themselves, all set to the song Breaking Free from Disney’s High School Musical.

Clicking on the slideshow would lead users to the hacking group Lizard Squad’s account on X, which was still known as Twitter at the time. The hackers left a jab at the webmasters in the source code: “The new and improved rebranded Lenovo website featuring Ryan King and Rory Andrew Godfrey”. These two individuals had previously been linked to Lizard Squad.

The attack was orchestrated via DNS hijacking. The hackers altered the DNS records for lenovo.com, causing all users attempting to reach the official company website to be automatically redirected to a fake page controlled by the pranksters.

The attack was apparently a protest against what was seen as the computer vendor’s lax attitude toward security and user protection. Shortly before the defacement, it was revealed that Lenovo had been selling laptops preloaded with Superfish malware. This made users who purchased infected devices potentially vulnerable to data interception and man-in-the-middle attacks. Thus, the hack seems kind of wrong, but at the same time feels justified.

Bring back 2013, when Twitter accounts were hacked for mischief — not crypto scams

These days, when the X account of a high-profile individual or major company gets hacked, it almost invariably leads to some kind of cryptocurrency scam. But it wasn’t always this way. Just a decade ago, popular accounts on what was then still known as Twitter were more often hijacked for giggles than for illicit financial gain.

Take February 2013, for example. Unknown hackers breached Burger King’s Twitter account to post this gem: “We just got sold to McDonalds! Look for McDonalds in a hood near you.”

On top of that, Burger King’s profile picture was swapped out for the McDonald’s logo, and their bio read: “Just got sold to McDonalds because the whopper flopped.” The bio also included the misspelled line “FREDOM IS FAILURE” and a dead link to a press release.

For about an hour, the attackers posted increasingly outrageous messages before Twitter finally suspended the account. Interestingly, Burger King’s arch-rival, McDonald’s, tweeted a message of support — while making sure to clarify they had nothing to do with the breach.

Fast-forward to August 2017, which was when the Ourmine hacking outfit targeted the Twitter account of soccer giant Real Madrid. The hackers used the club’s account to announce that none other than Lionel Messi, who then played for Real Madrid’s fiercest rival, FC Barcelona, was transferring to Real Madrid.

The post quickly racked up 2800 likes and 3100 retweets. Ourmine also posted a series of tweets claiming responsibility for the hack, with one declaring, “Internet security is s*** and we proved that.” It’s hard to argue with that.

A takeaway from the hacks: protect your password from the start

Perhaps the most crucial lesson to learn from these online shenanigans is this: using weak — or even worse, default — passwords is a surefire way to hand control of your device, account, or website to internet pranksters… if you’re lucky. Weak passwords were what tripped up city infrastructure and school administrators, and it’s highly likely that the Twitter account hacks were also linked to a careless approach to password policies.

This blog has frequently discussed how to create strong passwords. But to wrap things up, let’s reiterate a few basic rules of password hygiene:

• Passwords should be at least 16 characters long, or even longer if the website allows it.
• When creating a password, it’s good practice to mix uppercase and lowercase letters, numbers, and special characters.
• It’s best to avoid easily guessable things like common words or dates in your password. And you definitely shouldn’t use the word “password”.
• Ideally, your password should be a random combination of characters.
• Create a new, unique password for each website.

Of course, any user today signs up for dozens, if not hundreds, of online services. So, remembering long and unique passwords for each one isn’t feasible. That’s where Kaspersky Password Manager can help you manage this and protect yourself not just from pranks, but from far more serious consequences.

Additionally, the app automatically checks all your passwords for uniqueness, and helps you create truly strong and random combinations of characters. So, when using Kaspersky Password Manager, you don’t need to keep all those complex rules in mind — the password manager does it all for you. Beyond passwords, Kaspersky Password Manager can store and sync two-factor authentication tokens and passkeys. We recently thoroughly explored this new passwordless technology for accessing websites and services in our complete guide to using passkeys in 2025.

Kaspersky official blog – ​Read More

Despite over a decade of talk about “industrial digital transformation”, it’s only now we’re observing a tipping point. According to the VDC Research report Securing OT with Purpose-built Solutions, only 7.6% of surveyed industrial organizations consider themselves fully digital, but within two years 63.6% expect to be so. This shift is driven by two main factors: economic pressure pushing companies to radically increase efficiency, and the growing accessibility of technologies such as the industrial internet of things (IIoT) and edge computing.

Digitalization helps industrial enterprises boost both their efficiency and safety. Most organizations have already implemented asset, maintenance, and supply-chain management systems that reduce downtime and operating costs. More advanced technologies like digital twins and predictive analytics significantly improve processes, boost production, and cut waste of materials and resources. Integrating data from IT systems and ICS enables real-time decision-making based on up-to-date information.

But with integration comes vulnerability: systems that were once isolated or not digital at all become susceptible to IT failures and direct cyberattacks. Attacks on OT systems can lead to increased defect rates, failure of complex equipment, disruption of downstream production processes, and even catastrophic events that threaten worker safety. Even brief outages can have serious business consequences and damage a company’s reputation.

Major obstacles to industrial digitalization

According to the surveyed companies, cybersecurity concerns have become the main barrier to industrial digital transformation. Nearly 40% of the companies surveyed in the VDC report say they need to resolve this issue to move forward. Other top challenges include budget constraints and outdated equipment that’s too complex and expensive to upgrade for digital projects.

When it comes to security specifically, the top issues include a lack of resources for securing ICS equipment, inadequate security measures in existing infrastructure, and difficulties with regulatory compliance

The cost of an incident

When justifying cybersecurity budgets and planning for further development, experts unanimously recommend a risk-based approach tailored to the organization’s profile, its risk appetite, industry specifics, and other factors. The VDC Research report provides important data for this, documenting the nature and financial impact of security incidents in industrial organizations from 2023 to 2024. For example, 25% of surveyed companies that experienced security incidents with measurable financial consequences reported damages exceeding $5 million.

These costs include response efforts, direct revenue loss, and industrial-company-specific expenses like equipment repairs and losses of raw material or semi-finished goods. One of the top-three costs is unplanned downtime — a critical metric that industrial digitalization specifically aims to reduce. Most incidents resulted in downtime lasting 4–12 hours or 12–24 hours (with each range representing about a third of cases).

The cost breakdown is visualized below:

The challenges of protecting ICS

Despite the recognized need for ICS cybersecurity and regulatory requirements, implementation remains difficult. Almost every surveyed organization faces the following challenges:

• Limited visibility into OT networks due to numerous specialized communication protocols and incompatibility with standard IT monitoring tools
• A shortage of specialists skilled in working with proprietary systems and industrial protocols
• Insufficient network segmentation and the inability to isolate vulnerable equipment due to business needs; emergence of many new connections between IT and OT infrastructure
• A growing number of IIoT devices with insecure configurations and vulnerable firmware (manufacturers often neglect security)
• Outdated software and irregular patch releases
• Delayed patch installation due to the need for extensive testing and coordination with operations teams regarding the installation window
• Lack of detailed incident response plans that take into account critical events in OT networks

Some of these issues can’t be solved at the company level alone, but investing in specialized and integrated cybersecurity solutions can significantly mitigate the risks.

Specialized protection

While ICS protection projects are inherently complex, deploying specialized solutions purpose-built for OT/IT environments can increase efficiency and reduce risks. Key tools include asset and network traffic monitoring solutions (such as Kaspersky Industrial Cybersecurity for Networks) and endpoint protection solutions (such as Kaspersky Industrial Cybersecurity for Nodes). Organizations with mature cybersecurity programs use these as part of a defense-in-depth strategy — a multilayered security approach.

These solutions have features designed specifically for industrial networks, such as avoiding disruption of critical processes and communication, and operating with limited memory and processing power. This helps avoid meltdowns like the notorious CrowdStrike incident, where a careless security update disabled protected systems.

In the near future, technologies like SD-WAN and then SASE will play a bigger role by embedding security deeply into network architecture while ensuring resilience. Ultimately, the gold standard is a secure-by-design architecture, which should be built into smart industrial equipment by manufacturers at the outset.

Security implementation is a serious project — not just for the cybersecurity team but also for engineers and plant operators. As a result, project approval and rollout are often delayed. To reduce the burden on everyone involved, and also speed up the deployment of protection, companies should avoid a fragmented hodge-podge of security tools, and instead use comprehensive solutions from a single vendor. This simplifies both deployment and ongoing management through better integration. According to VDC’s survey, around 60% of organizations prefer getting all their security solutions from one provider.

How protection saves money

Despite the challenges, companies adopting specialized ICS protection solutions are already seeing clear economic benefits.

The VDC report shows that from 2023 to 2024, the number of incidents decreased in companies that deployed network and device monitoring tools. On average, incident rates dropped from 2.7 to 2.2 per year. Organizations using standard endpoint protection brought incidents down from 2.1 to 1.6. In contrast, industrial companies neglecting IT and OT protection experienced an average of 3.8 incidents — about twice as many as their better-protected competitors.

You can explore more about typical industrial digitalization projects, cyber incident damage estimates, and comprehensive protection recommendations in the full VDC report.

Kaspersky official blog – ​Read More

So far in our comprehensive guide to passkeys, we’ve covered how to ditch passwords on popular combinations of Android, iOS, macOS, and Windows smartphones and computers. This post focuses on important specific cases:

• One-time sign-ins to your account from someone else’s device
• Tips for frequent computer and smartphone switchers
• Ways to secure your account when backup password sign-in is enabled
• Potential issues when traveling internationally
• What happens when using niche browsers and operating systems

How to use passkeys on public or shared computers?

What if you need to sign in to your passkey-protected account from a library, an airport computer, or a relative’s home? Don’t rush to remember your backup password.

Start the sign-in process on the computer: enter your username and, if prompted, click Sign in with passkey. A QR code will appear on the screen for you to scan with the smartphone that stores your passkey. If the scan is successful, the QR code will disappear, and you’ll be signed in to your account.

Several factors must align for this seemingly simple process to proceed smoothly:

• The computer must support Bluetooth Low Energy (BLE), which verifies that your smartphone and the computer are indeed nearby.
• The computer’s operating system and browser must support passkeys.
• Both the computer and your smartphone need a reliable internet connection.

How to save passkeys to a hardware security key?

You might find using passkeys via QR codes inconvenient if you frequently access your accounts from different devices. If that’s the case, you can store your passkeys not on your computer or smartphone, but on a USB hardware security key — such as a YubiKey, Google Titan Security Key, or a similar device — for secure website sign-in. When you create a passkey, just choose to save it to your hardware key. Then you can sign in to your account from any computer or smartphone by plugging in that security token.

Just make sure it has the right combination of ports (USB-A, USB-C, Lightning) or NFC support to work with all your devices. Some token models even include a fingerprint scanner, which provides an extra layer of protection against account hijacking if your device is stolen or lost.

Unfortunately, there’s a catch: many older and popular token models can store a maximum of only 25 passkeys. Only a few advanced models — like the YubiKey with firmware version 5.7 — have raised this limit to 100.

Additionally, operating system developers view passkeys as a great opportunity to tie users more closely to their ecosystems. By default, depending on your smartphone, you’ll likely be prompted to save your passkey to either iCloud Keychain or Google Password Manager. As a result, the option to use a hardware security key might be hidden deep within the interface.

To create a passkey on a hardware token, you’ll often need to click the not-so-obvious Other options link on macOS/iOS, or Different device on Android, to select the hardware key option.

How to transfer passkeys between iOS and Android?

The biggest headache right now is if you store all your passkeys in your smartphone’s default storage and you want to switch ecosystems — moving from Android to iOS or vice versa. Currently, none of the three major OS developers — Google, Apple, or Microsoft — let you directly transfer passkeys. That’s because no one can guarantee the process will be secure. Both Apple and Google are working on implementing this feature in the future, but if you decide to swap devices today — say, from an iPhone to a Google Pixel — transferring your passkeys won’t be straightforward.

• First, you’ll need to sign in to the account protected by a passkey on your new device. You can do this either by using your good old password (if it’s still enabled), or by scanning a QR code with your old device that has the active passkey.
• Next, you’ll need to create and save a new passkey on your new device. Yes, you can have multiple passkeys for each website or online service.
• Finally, if you plan to get rid of your old gadget, you’ll need to delete the old passkey from it.

To avoid this hassle, it’s best to use a third-party password and passkey manager right from the get-go. With Kaspersky Password Manager, passkey support is already available on Windows, with Android support planned for July, and iOS and macOS support — for August 2025.

How to protect an account with a passkey from being hacked using a backup password?

Most online services that offer to switch to passkeys don’t disable other sign-in methods. If your account was protected by a weak or compromised password before you switched to a passkey, cybercriminals can still bypass your shiny new passkey by simply signing in with that old password.

Creating a passkey for an account that still has a weak password is like installing a bulletproof front door while leaving the flimsy back door unlocked with the key hidden under the mat.

That’s why, before you enable passkeys for any online service, we strongly recommend changing your password as well. Since you won’t be typing this password every day — it’s just a backup for your passkey-protected account — you can really go wild with its complexity. We’re talking strong passwords that are 16 characters or longer, and mixing up letters, numbers, and special characters. These are practically uncrackable. Ideally, generate and save that robust password in the same password manager where you’re planning to store your passkeys. Don’t rely on AI models to generate complex passwords. Our recent research revealed that while these passwords might look complex, LLMs tend to favor certain characters for no obvious reason when creating passwords, which makes their output surprisingly predictable.

Passkey drawbacks?

The underlying WebAuthn standard that powers passkeys can be implemented quite differently across browsers and operating systems. Websites often adopt these capabilities in their own unique ways. This can lead to frustrating challenges — even for tech-savvy users. Here are a few examples of this:

• When creating passkeys, standard Windows prompts give you plenty of options for where and how to save them. By default, Windows saves passkeys in secure local storage on your computer. If you forget to select your password manager as the save location, that passkey won’t be available on your other devices.
• Many online services like Kayak or AliExpress have dozens of regional versions, with each one being a separate website: .com, .com.tr, .co.uk, etc. If you create a passkey for, say, your local site, and then for some reason try to access the same online service in a different region, it’s highly likely you won’t be able to sign in with that passkey.
• Some websites don’t support creating or signing in with passkeys when using Firefox, regardless of the platform. In reality, there’s no technical incompatibility here, and simple tricks can resolve the issue, but it’s unclear why users should have to resort to these workarounds.
• Some Apple users have reported that all their previously saved passkeys periodically disappear from their Keychain, while certain Android users can’t activate passkeys without re-flashing or factory-resetting their devices.

Any one of these situations is made worse by the fact that errors when creating or signing in with passkeys are either not mentioned at all in help documentation, or described very vaguely. It’s often completely unclear how to fix the problem. However, when passkey issues arise, websites almost always offer a backup option, such as sending a one-time access code to your email.

Despite these challenges, a passwordless future with passkeys is on the horizon. We recommend getting ready now by creating passkeys wherever possible, saving them in your password manager, and remembering to check and update your passwords and contact information on websites to make sure you can recover access if your passkeys ever give you trouble.

Want to read more about passwords and passkeys?

• 16 billion passwords leaked: what should I do?
• Lessons learned from the trojanized KeePass incident
• Kaspersky Password Manager gets a new look
• Passkeys for your Google account: what, where, how, and why
• Password standards: 2024 requirements

Kaspersky official blog – ​Read More

Digitalization of business – especially in the small and medium-sized segment – allows for quick upscaling, better customer service, and entry into new markets. On the downside, digitalization amplifies the damage caused by a cyberattack, and complicates the recovery process. Given that company resources are always limited, which attacks should be deflected first?

To answer this question, we studied the INTERPOL Africa Cyberthreat Assessment Report 2025. The document is useful because it collates police cybercrime statistics and data from information security companies – including Kaspersky – allowing us to compare the number and types of attacks with the actual damage they caused. This data can be used to build a company’s information security strategy.

Average ranking of cybercrime types by reported financial impact across African subregions, based on INTERPOL member country data. Source

Targeted online fraud

Fraudulent operations were the clear leader in terms of damage caused across the continent. They’re gaining momentum in line with the rising popularity of mobile banking, digital commerce, and social media. In addition to mass phishing aimed at personal and payment data theft, targeted attacks are growing at a rapid rate. Scammers are grooming potential victims in messenger apps for months, building trust and guiding them into a money extortion scheme – for example, a fake cryptocurrency investment. Such schemes often exploit romantic relationships and are therefore called romance scams, but there are other variations. In Nigeria and Ivory Coast, for example, scammers were arrested for attacking small media platforms and advertising agencies. Posing as advertisers, they stole almost 1.5 million U.S. dollars from victims.

The fact that 93% of Africans use plain old WhatsApp rather than corporate communication tools for work significantly boosts the success rate of attacks on employees and company owners.

Ransomware incidents

Press headlines may give the impression that ransomware operators mainly target large organizations, but the statistics in the report debunk this theory – showing that both the number of attacks and the actual financial damage caused are significant across all business segments. What’s more, there’s a direct link between the level of digitalization and the number of attacks. So, if a company observes an overall increase in “digitized” business activity in its market segment, the threat level is sure to rise accordingly. In Africa, “affiliates” of the largest and most dangerous ransomware-as-a-service platforms – such as LockBit and Hunters International – are responsible for major incidents on a national scale.

Among the main ransomware incidents in Africa – hardly known about outside the continent – we highlight the following: the theft of $7 million from Nigerian fintech company Flutterwave; attacks on Cameroonian electricity supplier ENEO; a large-scale ransomware attack to exfiltrate data from Telecom Namibia; and the targeting of South Africa’s National Health Laboratory Service (NHLS), which led to canceled operations and the loss of millions of lab test results.

Banking Trojans and infostealers

Although the direct losses from banking Trojans and infostealers fell outside the top-three in terms of damage, it’s the “successes” of this criminal industry that have a direct impact on the number and severity of other attacks – primarily ransomware and business email compromise (BEC). After stealing what credentials they can from thousands of users with infostealers, attackers filter and group them by various criteria, then sell curated sets of accounts on the illicit market. This allows other criminals to buy passwords to infiltrate organizations of interest to them.

Business email compromise

For small and medium businesses mainly using public services like Gmail or Office 365, infection with an infostealer gives attackers full access to corporate correspondence and business operations. The attackers can then exploit this to trick customers and counterparties into paying for goods and services to a fraudulent account. BEC attacks have a firm hold at the top of the damage charts, and small businesses can fall victim to them in two ways. First, cybercriminals can extract money from larger clients or partners by impersonating the compromised small business. Second, it’s easier with a small business to persuade the owner or accountant to transfer money than it is with a large organization.

There are several large criminal syndicates based in Africa that are responsible for international BEC operations causing multi-billion-dollar damage. Their targets also include African organizations — primarily those in the financial and international trade sectors.

How to protect business from cyberthreats

To effectively counter digital threats, law enforcement agencies need to share data with commercial information security companies that harness telemetry to identify threat distribution hotspots. Recent successes of such partnerships include operations Serengeti (1000 arrests, 134 000 malicious online resources disabled), Red Card (300 arrests), and Secure (32 arrests, 20 000 malicious resources disabled). These operations, conducted under the auspices of INTERPOL, used cyberthreat intelligence received from partners – including Kaspersky.

But businesses can’t leave cybersecurity solely to the police; they need to implement simple but effective security measures of their own:

• Enable phishing-resistant multi-factor authentication (MFA) for all online accounts: Google, Microsoft, WhatsApp, etc.
• Install reliable anti-malware protection on all corporate and personal devices. For corporate devices, centralized security management is recommended – as implemented, for example, in Kaspersky Endpoint Detection and Response.
• Hold regular cybersecurity training – for example, using our Kaspersky Automated Security Awareness platform. This will reduce the risk of your company falling victim to BEC and phishing. All employees, including management, should participate in training regularly.
• Back up all company data on a regular basis and in such a way that the backups can’t be destroyed during an attack. This means backing up data either to media that are physically disconnected from the network, or to cloud storage where a policy prohibits data deletion.

Kaspersky official blog – ​Read More