In 2022 we have seen an alarming number of devastating cyberattacks throughout the world, including in the UK and Ireland.
An example of this in the UK includes the ransomware attack on KP Snacks, the manufacturer of Hula Hoops, Nik Naks, Tyrells, and many other snacks. This ransomware attack was carried out by a Russian cybercrime group, and resulted in approximately 2 months of supply chain issues, costing the organisations millions in damages.
However, whilst this attack received national news coverage, there were many attacks on smaller businesses that were harmful but did not make news headlines.
As we come to the end of 2022, it is more obvious than ever that all businesses are at risk of falling victim to a cyberattack and must be taking steps to reduce their cyber risk. Most businesses understand this, but some are still lacking simple security controls, such as multifactor authentication.
In this blog, we will explain what is multifactor authentication, and why it is essential for all businesses.
Multifactor authentication, or MFA, is an authentication method that requires the user to provide two or more forms of identification to log into their account.
These forms of identification typically include something the user knows (such as a password or PIN), something the user has (such as a trusted device or hardware key) or something that the user is (such as biometrics information, including fingerprints or facial recognition).
In terms of the user experience, if MFA is enabled, an employee will enter their username and password into an application or service, and then it will ask for the second authentication method. If they are using an authentication app on their phone it will provide a 6-digit number they must enter to access their account.
Some businesses have even removed the need for passwords altogether, only using the identification methods of something a user has and something that they are.
Strengthens Security Posture
The number one reason why businesses should implement MFA is that it will strengthen their security posture. In 2022, the most common form of cyberattack is phishing, with 83% of all cyberattacks in the UK being phishing attacks.
Whilst multifactor authentication will not stop phishing attacks, it does significantly reduce the chance of a phishing attack being successful in compromising a user’s account.
For example, many phishing attacks include a malicious link that will take the user to a false sign-in page. Even if an employee was to click on the link and enter their username and password if multifactor authentication is enabled, the bad actor will have the username and password, but they will not have the second form of authentication. Whilst it is possible for a bad actor to social engineer their way into acquiring the second form of authentication, it is significantly less prevalent, and can be mitigated in several ways.
Protects Aganist a Variety of Attacks
Whilst phishing attacks are the most common form of cyberattack, multifactor authentication can protect against a variety of other attacks.
If employees reuse passwords across multiple accounts, they are at risk of falling victim to a credential-stuffing attack. This form of attack is where a bad actor will find user credentials, typically through prior data leaks, and use these usernames and passwords to access other accounts. If an employee has reused the same password, these attacks have a high success rate. Thankfully, they can easily be mitigated with the use of MFA, as the hacker does not have access to the second form of authentication.
MFA can also protect against keylogging attacks, as even if the second form of authentication is a one-time passcode, it will change every time an individual attempts to log into the account.
Meets Regulatory Requirements
If your business needs to be industry standards, multifactor authentication is a necessity. For example, the PCI-DSS (Payment Card Industry Data Security Standard) requires businesses to have MFA enabled for remote access to the cardholder data environment.
Although for PCI-DSS, the only requirement is for a single environment, in order for businesses to achieve their Cyber Essentials certification they must implement MFA on administration accounts, and any accounts that are accessible via the internet.
Most insurance companies will require companies to implement multifactor authentication on all accounts in order to qualify for cyber insurance.
Improves the User Experience
Whilst it may seem counterintuitive that adding another step to logging in will improve the user experience, multifactor authentication can be implemented alongside single sign-on to both improve security and the user experience.
Single sign-on, or SSO, is a technology that allows employees to authenticate credentials once in order to access all the systems, services and solutions required for their role. This includes all Microsoft applications, as well as thousands of other SaaS applications.
This improves the user experience and increases productivity as it means that employees spend less time entering credentials, and they only need to remember one password and have one method of multifactor authentication. It also strengthens the organisation’s security posture as there is no need for employees to reuse the same password across different accounts.
Multifactor authentication is essential for businesses of all sizes, within all industries. However, many businesses do not have the required expertise to implement MFA correctly, especially if they want to use SSO.
We can help you implement multifactor authentication, as well as SSO and even passwordless authentication. It is also important to note that MFA is not the only security control required to protect your business from cyberattacks. We can also protect your entire IT ecosystem with a comprehensive security solution, tailored to your business needs. To find out more, contact us today.