How should enterprises mitigate the risk of keyloggers?
A threat as old as electric typewriters, keylogging is still a thriving cybersecurity nuisance. The premise of the threat is simple, but highly effective. In summary, a keylogger monitors and records strokes on a keyboard or smartphone. In doing so, a malicious actor can steal the credentials necessary to obtain your organisation's sensitive information. Then, the keylogger sends the information back to a third party, selling it on or using it themselves for profit. Mitigating the keylogging threat is a double-edged sword. On the one hand, it can be a goldmine for cyberattackers. On the other, keylogging can be a useful tool for organisations who want to enhance user experience or simply monitor their employees. Whether or not you agree with this type of surveillance (it's a bit of an ethical minefield), the threat is still very real. Hence, organisations must ensure they have the right measures in place so as to not give away their sensitive data. Making matters worse, keylogging manifests in a range of techniques. This includes as malicious software or as a hardware device. As a software-based threat, they manifest through infected links, entrenching themselves in the background, logging your strokes unbeknownst to you. In terms of hardware, these are little devices plugged between the computer and keyboard. However (and you're probably already thinking it), these hardware are visible, so they could easily be identified. Not only that, but the attacker would need physical access on premise (and a very stealthy demeanour). In fact, hardware-based keylogging applies more to business use cases, such as the employee monitoring aforementioned. Alternatively, parents may wish to use them to keep tabs on their children's online activity. Either way, there is no all-encompassing, one-size-fits-all solution per se. However, there are ways to radically better your chances against keylogging that all organisations should be exercising.
Quashing the keylogging threat
Firstly, you should make use of password managers. Many people, within an organisation or otherwise, use one anyway, but it can be a valuable tool against keylogging. In particular, password managers eliminate the need to type your password, instead using autofill to log users in. FYI, this is not the same as the 'Remember me' function on websites, which is not secure enough; instead, you need a third-party app to see you through. Of course, you will also need an antivirus program to fight against any downloadable files or malicious links where the keylogging threat is nesting. Today, most antivirus tools can protect you against basic keylogging software, but it's important to be mindful that it's not a guarantee. Antivirus cannot necessarily combat keylogging threat types that are new to it, but it makes for a very good start. Another method (which we say all the time, and we will say it again) is education, education, education. At enterprise level, it is crucial that you run workshops and educate your staff against the phishing attacks that land in their inbox. This way, you can reduce the risk of them clicking on a malicious link or downloading a file harbouring the keylogging threat. Furthermore, you should encourage everybody to use password managers, inside and outside of the office, to encourage better cybersecurity habits and keep your organisation above threat waters.
Want to know more about cybersecurity? Why not check out this opinion piece by John Gilbert at Yubico about the password problem?