There is a strong misconception in business that only larger organisations are targets for cyber criminals. Unfortunately, this simply isn’t the case. Cyber security should be a business priority for any organisation regardless of whether you’re a start-up, SME, non-profit or large-scale enterprise. Your user accounts are highly valuable to attackers — whether they want to infiltrate your organisation or exploit another part of your supply chain by leveraging your company’s data, information and identities.
The Password Problem
In the past, it is has unfortunately been all too easy for criminals to hack businesses who don’t have the right security measures in place. As you likely know already, poor password hygiene is a common theme for organisations that suffer data breaches. According to Microsoft research, 81% of hacking breaches use compromised weak passwords or used stolen passwords. Even if you diligently update your passwords and ask your employees to do the same, there are still highly successful methods of cracking them using attacks such as brute force attacks, spray attacks or phishing schemes.
Finding a Solution
Now that we’ve established the importance of protecting your business from cyber criminals, what would you say if you were offered you a way to block over 99.9% of the cyber attacks which aim to compromise your user identities and accounts? Your answer would most probably be “yes, please” or “great, but how much will it cost”?
Luckily there is actually a simple and highly affordable security feature which allows you to do this; you might already be paying for this feature if your business uses certain business productivity software such as Microsoft 365 or Google Workspace. It’s called ‘multi-factor authentication’ (MFA), or two-factor-authentication (2FA) as it’s sometimes referred to.
Multi-Factor Authentication (MFA)
MFA allows users to add further forms of identity verification to their accounts in addition to their password — such as their phone, security key or biometric identifier. Therefore, if their password becomes compromised, the requirement for a secondary form of verification will ensure their account remains secure and access will be denied to the attacker using the stolen credentials.
A lot of businesses will opt for the smartphone option as the second factor in the authentication process, as most users will already have a business or personal smartphone on their person at all times. Once your IT admin has enabled MFA within your organisation, users simply download the organisation’s preferred ‘authenticator’ app from a public app store (e.g. Google Play Store for Android devices or Apple App Store for iOS devices etc.) and follow the basic instructions to link their device to their work account.
Once set up, when a user attempts to log into their work account (e.g. an Office 365 account), they’ll enter their password and hit ‘enter’. Rather than being granted access right away, a popup will appear on the screen saying “Approve sign in request – we’ve sent a notification to your mobile device. Please respond to continue”. All the user then has to do is pick up their smartphone and click ‘Approve’ to complete the authentication process and get access to the work account. Similarly, they can hit ‘Deny’ if they get a notification when they aren’t trying to access the account — potentially preventing an unauthorised login attempt by someone else.
You can quickly see how this can prevent so many password-based attacks. Even if a hacker on the other side of the world somehow has your password, they won’t have your mobile device (or other form of second factor) and they won’t be able to gain access.
MFA is Just the First Step
Despite MFA offering an incredibly powerful and simple action that you can take to significantly improve your cyber security, it’s just one of the first steps to properly securing your organisation from cyber criminals.
It goes without saying that good password hygiene, phishing training, blocking legacy protocols and other basic cyber security practices are also things you should do. However, the world of cyber security is moving at an incredible pace — as are the attackers’ hacking methods and technologies.
In the past, we used to use a ‘castle and moat’ approach to protect our data. We built a wall around everything we wanted to protect. However, once attackers had penetrated these defences, the perimeter controls would offer little to prevent the attacker from laterally moving across the network — often doing significant damage before being detected.
As we’re now working remotely, and consuming more and more cloud services, our business data no longer resides solely within the company network. This means the old ‘castle and moat’ approach is now mostly redundant.
A boundaryless approach called ‘Zero Trust’ is now considered the modern way that forward-thinking organisations are doing cyber security. This approach deems all users and devices to be ‘untrusted’ and the core principle is simply to “never trust, always verify”. It treats access requests as if they were originating from an open network. With this approach, every access request is subject to a dynamic risk-based evaluation to determine whether access should be granted or denied. Some of the signals that can feed into the verification process might include: identity, health of device, geographic location, service, data, and anomalies.
It must be stressed that Zero Trust is a journey, it’s not something your organisation would, or could, implement overnight. It requires a shift in mindset as to how cyber security should be done in the modern world and it will require a phased approach to adopting the right technologies and methods.
Implementing MFA is a great first step on your zero trust journey and something all organisations should do. However, as you develop your zero trust cyber security posture over time, many organisations don’t have – or can’t afford – to bring the required cyber security skills and experience in-house. In this instance, you might wish to consider approaching an IT support company with cyber security expertise that you can partner with.
Mike Smith is Marketing Executive for Chorus, a leading Managed IT & Cyber Security services provider in Bristol, UK.