For decades, organizations have used passwords as a way to authenticate users before they access services hosted on the company network. Today, though, companies rely much less on the internal network and much more on services hosted on the internet, such as applications like Office 365, Gsuite, Zoom, Salesforce and more.
These services are hosted in the cloud, enabling employees to access them from anywhere, on any device, as long as they have the right credentials. While this way of working is excellent for productivity and collaboration, it presents a host of security issues since we know that most employees have poor “password hygiene” practices.
In recent years, cyber attackers have used stolen, phished, or easy-to-guess passwords to break into these services and exploit organizations, launch ransomware attacks, or steal sensitive information. As ransom payments have ballooned, so too have the frequency of these attacks. Hackers have figured out that small and medium businesses are easier to penetrate and less likely to have protections in place to allow them to recover without paying a ransom, making them ideal targets for these kinds of attacks.
Why Passwords Aren’t Enough Anymore
Data breaches are an unfortunate fact of life today for individuals and businesses alike. Every week, it seems more people’s information has become embroiled in a cyber-attack or mass data leak. Each time this happens, more and more sensitive information ends up on the dark web, where hackers can purchase it and then use it as the basis for password-based attacks. In fact, research indicates that passwords are the root cause for over 80% of breaches. One reason a stolen password works so well is that many people re-use the same password across multiple sites and services, essentially making it a “master key” for that person’s online life.
If your organization only relies on passwords for authentication, you are an easy target for hackers. Breaking into your company is all too easy; all they need is one leaked or easy to guess password. This is why passwords aren’t enough anymore. You need an additional method of authentication: multi-factor authentication.
What is Multi-Factor Authentication?
Multi-factor authentication (MFA) is a verification mechanism that requires users to identify themselves in at least two ways. Typically, the password is the first form of verification, but this needs to be accompanied by a second factor, such as:
- A PIN that is sent to the individual over text
- A security token that the user needs to connect to their device, like a USB
- Biometric information like a fingerprint
- Verification via a separate app on their mobile phone
MFA should not be required every time a user logs onto a cloud service as this would quickly become frustrating and dampen the user experience. You can usually set up this mechanism so that it registers devices and “trusts” them, meaning it won’t need the extra factor authentication every time. Instead the multifactor authentication verification will only be required when a new device is used, or when a certain amount of time has passed to re-certify a particular device.
We recommend you implement MFA for high-risk activities such as transferring money, logging-in from a new device, changing passwords or account details, or accessing/attempting to download highly sensitive information.
Best Practices for MFA
If you’ve traditionally relied on passwords alone to grant your users access to corporate resources, MFA will certainly be a big change. Here are some things to bear in mind to ensure a smooth transition.
Take a Holistic Approach
You should implement MFA across all user accounts and services, including the cloud, VPN and on-premise applications. Taking a holistic approach, to ensure all of your company’s digital assets are secured in a consistent manner, is the best way to improve your security posture.
Provide A Variety Of Authentication Mechanisms
Security must be carefully balanced with the user experience. Otherwise, your users could become irritated, which isn’t good for workplace culture. So, make sure you consider a variety of authentication methods that suit your different users. We can help you to choose and deploy an MFA solution that supports your business and users alike.
Use the Principle of Least Privilege
MFA, by itself, isn’t the be all and end all of security. You need to take a multi-layered approach. Most importantly, MFA should be deployed in conjunction with the principle of least privilege. This is where you segregate user roles based on a need-to-know-basis. For example, an intern at your company won’t need the same access rights as an IT administrator. Putting in place access privileges reduces the risks associated with a compromised account.
Review and Update
Companies are constantly in a state of flux; tools change and people come and go. Because of this, you must treat MFA as an ongoing initiative, rather than a one-off project. As you onboard new employees and offboard existing ones, you’ll need to stay on top of access permissions, and ensure to properly decommission any older accounts.
Support Your Employees
While implementing MFA shouldn’t disturb the workflow too much, it’s still important to help your employees adapt to the change. We recommend alerting your employees to MFA implementation prior to deployment, so they have an idea of what to expect. You can then provide your users with training, so they feel supported and confident.
We’ll Help You Deploy and Manage MFA In Your Organization!
Passwords are on their way out, and MFA is undoubtedly the future of authentication in the workplace and beyond. Don’t fall behind. Keep ahead of attackers and improve your security posture by adopting MFA today. We’ll help you choose the best solutions for your needs and budget, and will manage the rollout for you. Contact us today to learn more.