These days it’s more important than ever to do everything you can to ensure your business gets and stays successful and profitable. While establishing your manufacturing plans, crafting marketing strategy, and keeping an eye on the bottomline are all important, it is also vital that you take relatively simple steps to secure your information. That’s where multi-factor authentication comes in.
All about multi-factor authentication (MFA)
MFA is exactly what it says—it is a second factor for a user to authenticate before gaining access to a system, application, portal, or information silo. This control is effective as typically the first factor in a multi-factor chain is a password and there are many ways that threat actors get access to that password, especially with everything, including email, on the internet. With that second factor, which is typically a code, it becomes much more difficult for the bad guys to infiltrate your systems.
Some MFA solutions include an app on a phone or a key fob that has a code that changes every 30 seconds, and then the user enters their password followed by a code. Typically if a user is coming from a known browser with a cookie or a known IP, you can set the MFA to be required perhaps once a day or even once every couple of weeks. If you have a business account and you’re trying to protect sensitive data, perhaps the user has to authenticate with the second factor daily. The best practices are really dependent on the application, the business, and what you’re trying to protect.
Why MFA is important
There are potentially huge repercussions if a threat actor accesses your company’s email if you just have single-factor, password protection. If it’s a foreign adversary and you are a government contractor, that entity can gain an understanding of the sensitive projects you’re working on, access data or plans, and get deeper into networks and things like SharePoint.
What usually happens is an outside source will get into an employee’s email. Then using that person’s identity, they will email C-level personnel in attempts to get those senior management members to click on a link, reset a password on a fake web form, and then use that password information to initiate wire transfers, exfiltrate data, and more.
Implementing MFA
These days, there are a variety of options that companies can implement, which, from a technical perspective, are simple and straightforward. Often, the people aspect of these rollouts can be the more challenging part.
Microsoft makes implementing MFA easy and free. To protect your company’s email, employees can simply download the Microsoft Authenticator app on their phone and then use that to hook directly into any MS Office 365 accounts. They then can either enter a code or it can push a notification to each user. With no software cost, and perhaps just the outlay of a company phone, there are no excuses for companies to not implement this extremely useful and important security control.
There are also requirements for MFA on machines. If team members have a laptop or a workstation holding critical data, Cisco Duo is a good option. It functions using the same concept of a user entering a user name and password to log on to the machine, and then prompting the employee for a code, or it pushes a notification to the user’s phone and upon code entry access to the device is granted.
MFA is just one step to helping you secure your information and your IT infrastructure.
CyberSheath offers security monitoring services, to help identify and shut down attempts by threat actors to access your company’s resources. Our 24/7 security operation center helps protect your business and all of its information, because when someone wants to get at something in your environment, they are going to do whatever they can to gain access. Contact us to learn more.