Memo to our Customers - Tightening Your Cybersecurity Posture

The BIO-key team is committed to building Identity and Access Management (IAM) products with robust security features to keep you, your organization, and your customers safe. As your trusted security partner, we have an opportunity to assist you in strengthening your cyber defenses and addressing any concerns that you may have. In light of recent events and cyberattacks, we are sending out a note to all of you, our valued customers, to highlight recommendations for improving your security posture, as well as precautions we continue to take around our products and services delivery.

First, we believe that our customers should act on recent guidance from the Biden Administration and the Cybersecurity and Infrastructure Security Agency (CISA), urging companies to make sure their digital doors are locked tight because of "evolving intelligence" that Russia is considering launching cyberattacks against U.S. targets as the war in Ukraine continues. CISA has urged companies to back up their data, turn on multi- factor authentication (MFA), and take other steps to improve cyber hygiene. We encourage our customers to stay current on the latest updates - CISA has launched a "Shields Up" campaign with up-to-the-minute information to assist cybersecurity-related communications.

Second, we encourage all customers to add Identity-Bound Biometric (IBB) authentication to their MFA strategies. Concerning recent breaches, traditional multi-factor authentication methods have shown significant vulnerability because they rely entirely on identifying something the user knows or has, such as a password or device, making them easily susceptible to account takeovers, credential sharing, and other common cyberattacks. These authentication methods have failed to provide businesses with the appropriate security to keep them safe and usability to be able to implement MFA across all accounts effectively. IBB is the only authentication method that verifies the user, using something they are, such as their fingerprint or palm scan, during the authentication process. IBB offers businesses the highest levels of integrity, accuracy, security, and availability - and are NIST tested, compliant-by-design, and flexible for all types of users. We've included additional recommendations we would make for improving your cybersecurity below.

Finally, we continue to strengthen our cybersecurity defenses, and our actions to do so are driven by a shared system of corporate values and a common willingness to provide the best possible product and services. We value our business relationship with our customers and welcome the opportunity to share our subject matter expertise.

Here are a few active or recent initiatives with a focus on aspects specific to our PortalGuard IDaaS platform:

Internally staffed support team – BIO-key does not outsource any production environment customer support functions. There is strong evidence that recent breaches happened because vendors outsourced their customer support to third-party companies. Allegedly, hackers obtained users' credentials through those third parties and used these credentials to compromise customer accounts and data.

As part of becoming a full Amazon ISV partner, we have engaged with AWS subject matter experts as part of their Foundational Technical Review. This process has helped guide and validate our use of innumerable best practices, including but not limited to:

• • Multi-factor authentication for all accounts
  • Credential rotation
  • Least privilege access
  • Full data encryption at rest and in transit
  • Namespace isolation
    
    
• Constantly maintain a "hot" disaster recovery cluster for rapid shifting of customer workloads to a different AWS region should the need arise.
• Continue to improve and formalize our internal change management procedures and
• Regular use of a best-in-breed static code analysis engine to detect potential vulnerabilities early on during build/compilation.
• Leverage 3rd party software and contract services to perform periodic manual penetration tests in our environments.
• Formalize processes and streamline architecture to test and update software versions rapidly without increasing risk.
• Hire and retain top talent based on their ability, willingness, and fit for the role regardless of their location, ethnicity, or background.
• Require professional development for technical employees during the business day to ensure they stay current with best practices and subsidize their efforts to achieve industry-standard certifications.
• Promote a culture of blameless error resolution to empower all levels of the organization and ensure issues are quickly identified and addressed.

BIO-key Recommendations to Customers

• Identity-Bound Biometrics (IBB) should be part of your Multi-factor Authentication (MFA) -- MFA is now a minimum requirement for all users to secure business applications and data. For businesses that desire best-of-breed authentication security, our Identity-Bound Biometrics (IBB) are the only approach to verify the person completing an action blocking common cyberattacks such as credential handover or sharing during the authentication process. Many of you have IBB as part of the BIO-key PortalGuard platform you are using today. Please get in touch with us today about how you can enable this authentication method for your business.
  
  
• Migrate to an enterprise-grade cloud IAM solution - If your IT department does not have the proper expertise or resources to implement industry-standard security best practices, we strongly encourage our customers to evaluate migration to PortalGuard IDaaS. The IDaaS cloud infrastructure provides a highly secure, scalable, redundant architecture built for high availability and supported by our subject matter experts, allowing customers to avoid service interruptions related to local power/internet loss.
  
  
• Develop or improve your security plan -- It is paramount to have a well-devised plan that covers the organization's cyber-risk management strategy and addresses how it can recover quickly if an incident occurs. Such a plan needs to include the identification of possible risks and areas that need protection; it should define roles that personnel will have in response to different security events, as well as checklists of actions that need to be made periodically and/or that should not be allowed.
  
  
• Check and revise information security policies and procedures -- Ensure the policies and procedures support current business practices and expectations. Having updated policies and a well-established set of procedures can address the security and compliance needs of the organization by guiding staff in how they can protect and control the information systems. Cybersecurity-enforced policies and directives need to be clearly conveyed to all staff so that they can understand why things are done in a certain way and the importance of not deviating from the established procedures.
  
  
• Raise employee cybersecurity awareness -- Organizations of all sizes and industries are vulnerable to cyber threats; therefore, safeguarding information assets from phishing and ransomware will require users' awareness of these threats and the ability of the user community to mitigate the risks.

In summary, the BIO-key team stands ready to assist our customers with improving their security posture and provide them with advanced security solutions to address the latest cyber threats. We value our partnership and are always seeking opportunities to expand on the security benefits and expertise we bring to each of you. You can count on us to support you and your organization to the best of our ability. In the meantime, let us know if you are interested in learning more about IBB, PortalGuard IDaaS, or any other BIO- key solutions.