Notifications
Clear all
Topic starter
12/06/2026 10:09 pm
TL;DR: CISA reported that 84% of employees interacted with a phishing email, while the National Cybersecurity Strategy omitted phishing entirely despite naming ransomware 32 times, highlighting a gap between threat reality and policy emphasis. Phishing-resistant authentication and certificate-based controls matter because identity programmes still fail when they treat all MFA as equivalent.
NHIMG editorial — based on content published by Axiad: Fresh Take: A Brief Reflection on the National Cybersecurity Strategy
By the numbers:
- CISA said 84% of employees interacted with a phishing email.
- The National Cybersecurity Strategy mentioned ransomware 32 times in its 39-page document.
- 84% of employees interacted with a phishing email, underscoring the scale of social engineering exposure.
Questions worth separating out
Q: How should security teams implement phishing-resistant authentication in enterprise access?
A: Start with privileged users, high-value applications, and remote access paths where phishing has the highest impact.
Q: Why do common MFA methods still leave organisations exposed to phishing?
A: SMS, OTP, and push factors can be intercepted, relayed, or socially engineered in real time.
Q: How do you know if phishing-resistant authentication is actually reducing risk?
A: Look for lower rates of successful account takeover, fewer help-desk resets tied to login compromise, and reduced reliance on replayable factors for privileged access.
Practitioner guidance
- Prioritise phishing-resistant authentication for high-risk users Move privileged admins, finance users, remote workers, and sensitive SaaS owners to FIDO, Windows Hello for Business, or certificate-based authentication before expanding to the rest of the workforce.
- Audit where MFA still allows replayable factors Inventory SMS, OTP, and push-based methods across critical applications, then classify each as acceptable only where the business impact of account takeover is low.
- Tie certificate trust to lifecycle controls Define enrolment, renewal, revocation, and offboarding workflows so that certificate validity follows identity status instead of lingering after access should end.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- The article explains how certificate-based authentication works through asymmetric cryptography and chain-of-trust validation.
- It outlines how phishing-resistant methods support Zero Trust architecture in practical deployment terms.
- It contrasts SMS, OTP, push, FIDO, Windows Hello for Business, and certificate-based approaches in the authentication stack.
- It frames the role of contemporary authentication in hybrid work environments and federal zero-trust mandates.
👉 Read Axiad's reflection on phishing resistance and certificate-based authentication →
Phishing resistance in zero trust: are your controls keeping up?
Explore further
13/06/2026 12:43 am
Phishing resistance is now an identity governance requirement, not an authentication preference. The article reflects a recurring reality: attackers routinely exploit the weakest factor in the login chain rather than break stronger cryptography. That means authentication choice directly affects identity risk, zero-trust credibility, and downstream incident containment. Practitioners should treat phishing-resistant access as part of identity governance, not as an optional security enhancement.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, and 77% of those incidents resulted in tangible damage, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when phishing succeeds despite zero-trust controls?
A: Accountability usually spans identity, endpoint, and application teams because zero trust depends on trustworthy authentication as well as policy enforcement. If the login factor is phishable, continuous verification cannot fully compensate. Governance teams should define ownership for authentication strength, certificate lifecycle, and exception handling so gaps do not linger between teams.
👉 Read our full editorial: Phishing resistance and certificate-based authentication in zero trust
