The reality is that employees do fall for phishing scams and they do share passwords, and if you’re not using multi-factor authentication (MFA), your organization is wide open to attacks.
A huge, if not one of the biggest, security threat today is the risk of compromised credentials. And the reason is pretty simple to explain. Once a cybercriminal puts his hands on a set of corporate credentials, he is now using stolen but legitimate login details. From there, all of your security tools will consider that the person logging in is actually the person to whom the credentials belong. Basically, none of your tools are going to flag anything unusual which makes those attacks very hard to detect.
Knowing the risk, a huge number of organizations are still going the wrong way about password security.
Our survey from a few years ago revealed that only 38% of organizations use MFA. Today, unfortunately, things haven’t changed according to some more recent research.
What are the reasons organizations are hesitant to adopt MFA?
MFA is only beneficial for companies of a certain size
This is 100% wrong! Any company, regardless of size, should adopt an MFA solution as part of their security strategy. The data small and medium sized businesses (SMBs) want to protect is no less sensitive and the disruption is no less serious. MFA is not necessarily complex, costly or frustrating!
MFA should be used only to protect privileged users
Still wrong. The vast majority of organizations consider most of their employees as not having access to critical information, so they rely only on local Windows credentials. They don’t see the point of using MFA, it seems a bit too much. The thing is, those “non-privileged” employees still have access to a large amount of data that can actually harm the company. Let’s illustrate with an example: a nurse sells a celebrity patient’s data to a newspaper. This example shows the value of the data and the harm that can be done if it’s used in an inappropriate way.
Furthermore, it’s very rare for a hacker to start with a privileged account. Most cyber attackers leverage any account that will fall victim to a phishing scam. Then, they move laterally within the network until they find valuable data to exfiltrate.
MFA is not flawless
This is true. Actually, no security solution is flawless but MFA is pretty close. The FBI published a warning last month about events where attackers were able to bypass MFA. The two main authenticator vulnerabilities are ‘Channel Jacking’, which involves taking over the communication channel used for the authenticator and ‘Real-Time Phishing’, which involves using a machine-in-the-middle in order to intercept and replay authentication messages. For such type of attacks, experts agree that considerable costs and effort are required. Mostly, attackers who encounter MFA will just move on to their next target rather than try to bypass this measure. You can also take simple precautions in order to avoid certain vulnerabilities. To start with, you can choose MFA authenticators that do not rely on SMS authentication. (The National Institute of Standards and Technology (NIST) discourages SMS and voice in its latest Digital Identity Guidelines).
Despite the recent events and it’s warning, the FBI confirms that multifactor authentication is one of the easiest steps to improve an organization’s security and that it’s still effective.
That is not necessarily true. As with any new technology, the challenge is to least interfere with employee’s productivity. If it’s too disruptive, employees won’t tolerate it, adoption will be slowed down if not stopped abruptly.
For this reason, flexibility is needed for any MFA solution. Users don’t need to be prompted for MFA each time they log in. Contextual controls may be a great way to improve identity assurance. They use environment information to make sure whoever tries to log in is actually who they say they are without disrupting users.
Compromised passwords happens to everyone – whether you are a privileged or a non-privileged user. Any company, regardless of size should be using MFA as part of their security strategy as it can be one of the easiest ways to secure accounts.