Implementing Multi-Factor Authentication to Improve Your Organization’s Cybersecurity Posture
Businesses are at an ever-increasing risk of falling victim to a cyberattack. Theft of user credentials is a now an ever-growing risk vector with poor login security putting all companies at risk of a breach and non-compliance. Let’s unpack the threat landscape.
According to a recent report issued by Forbes magazine, cybercriminals have more than 15 billion stolen logins circulating around the dark web, obtained from over 100,000 documented security breaches. Cybercriminals will purchase and use these stolen credentials to infiltrate business networks.
In addition to purchasing credentials, cybercriminals use a variety of other social engineering techniques to gain a foothold into a business including:
- Phishing – a user is tricked into disclosing their credentials
- Spear phishing – a small group of users is targeted with well-crafted believable messages featuring a call to action which gets users to disclose their login information
- Brute force attacks – an attacker uses a program to generate possible username/passwords and attempting to access business systems
Once they establish a foothold inside the network, cybercriminals can further compromise the business by gaining access to other critical assets through privilege escalation and lateral movement. Once inside they can achieve their ultimate goal of data manipulation – reading, encrypting, modifying, and exfiltrating sensitive information. This can have a devastating impact upon the business. A recent report released from Cybercrime Magazine found over 60% of small to medium businesses who have fallen victim to a successful cyberattack end up shutting their doors within six months.
Companies are recognizing these risks and are starting to act accordingly.
One of the best ways to protect businesses from the fallout of compromised credentials is to enable Multi-Factor Authentication (MFA) on all user accounts. With MFA enabled, whenever a user attempts to log into a managed business application (ex. corporate email) or company site, they are prompted for a second form of authentication to prove they are who they say they are.
This form of secondary authentication can be one of the following methods:
- An SMS text message sent to the user’s mobile phone,
- A phone call
- A rotating PIN code / push notification to an authentication application on the user’s mobile phone
By adding this requirement, security is increased as this additional form of authentication is not something which is easy for a cybercriminal to obtain or duplicate. Even if one’s identity has been previously compromised, this additional layer of protection will help prevent the attack from successfully using the stolen credentials.
According to a recent article in ZDNet, Microsoft and Google say using MFA for user accounts will eliminate 99.9% of account breaches.
More than 55% of enterprises use MFA to protect their users accounts. SMB adoption is trailing the enterprise, but not by much.
MFA can be very easy for end-users as long as the appropriate level of training and adoption processes are undertaken before and during the rollout period. However, some businesses remain wary of deploying MFA across the entire organization, as one of the biggest objections is the perception of it being an inconvenience to the users – whether due to the frequency of MFA prompts or any hindrance to working remotely. These issues can be addressed as they arise. For example, the frequency of prompts for the second form of authentication can be limited so the focus is on truly high-risk sign-in attempts.
Enabling MFA is one of the best steps a business can take to protect its critical data and network access from compromised accounts and increase its overall cybersecurity posture. If your company has not implemented this security control, it’s time to start.