For decades, organizations have used passwords as a way to authenticate users before they access the services hosted on the company network. Today though, companies rely much less on the internal network and much more on services hosted on the internet, such as applications like Office 365, Gsuite, Zoom, Salesforce and more. These web-based services provide new opportunities and threats for password security.
These services are hosted in the cloud, enabling employees to access them from anywhere, on any device, as long as they have the right credentials. While this way of working is excellent for productivity and collaboration, it presents a host of security issues, as many employees have poor “password hygiene” practices, which make them a prime target for cybercriminals trying to maliciously access your data.
In recent years, cyber attackers have used stolen, phished, or easy-to-guess passwords to break into these services and to exploit organizations, launch ransomware attacks, or steal sensitive information. The ransom payments demanded by the attackers have increased dramatically, and so too have the frequency of these attacks.
Hackers have figured out that small and medium businesses are easier to penetrate and less likely to have protections in place to allow them to recover without paying a ransom, making them ideal targets for these kinds of attacks.
Why passwords aren’t enough anymore
Data breaches are an unfortunate fact of life today for individuals and businesses alike. Every week, it seems more people’s information has become embroiled in a cyber-attack or mass data leak. Gradually, more sensitive information is ending up on the dark web, where hackers can purchase it and then use it as the basis for password-based attacks.
In fact, research indicates that password compromise is the root cause for over 80% of breaches. One reason why stealing passwords works so well, is that many people re-use the same password across multiple sites and services, essentially making it a “master key” for an individual’s online life.
If your organization only relies on passwords for authentication, then you could be an easy target for hackers. Breaking into your company is all too easy; all they need is one leaked or easy-to-guess password.
This is why passwords aren’t enough anymore. You need an additional method of authentication: multi-factor authentication.
What is Multi-Factor Authentication?
Multi-factor authentication (MFA) is a verification mechanism that requires users to identify themselves in at least two ways. Typically, the password is the first form of verification, but this needs to be accompanied by a second factor, such as:
- A PIN that is sent to the individual over text
- A security token that the user needs to connect to their device, like a USB
- Biometric information, like a fingerprint
- Verification via a separate app on their mobile phone
MFA should not be required every time a user logs onto a cloud service as this would quickly become frustrating and dampen the user experience. You can usually set it up so that it registers devices and “trusts” them, meaning it won’t need the extra factor authentication every time. Instead the multi-factor authentication verification will only be required when a new device is used, or when a certain amount of time has elapsed since the last MFA-authenticated login.
We recommend that you implement MFA for high-risk activities such as transferring money, logging-in from a new device, changing passwords or account details, or accessing/attempting to download highly sensitive information. This crucial extra layer of security can serve to protect your business from the range of cyberthreats today.
Best Practices for MFA
If you’ve traditionally relied on passwords alone to grant your users access to corporate resources, MFA will certainly be a big change. Here are some things to bear in mind to ensure a smooth transition.
Take a Holistic Approach
You should implement MFA across all user accounts and services, including the cloud, VPN and on-premise applications. Taking a holistic approach, to ensure all of your company’s digital assets are secured in a consistent manner, is the best way to improve your security posture.
Provide A Variety Of Authentication Mechanisms
Security must be carefully balanced with the user experience. Otherwise, your users could become irritated or face excessive inconveniences, which isn’t good for workplace culture. So, make sure that you consider a variety of authentication methods that suit your different users. We can help you to choose and deploy an MFA solution that supports your business and users alike.