99.9% reduction in risk from cyber attack, the best ROI available in cyber
Introduction
Multi Factor Authentication is essential, with Password authentication alone, access to resources is simply based on an account name and provided password, the name is normally known to anyone smarter than a toddler as it is an email address. Meaning that an insecure password is the ONLY thing preventing an attacker from having access to your systems.
With a password alone, problems start to occur where an account password is reused elsewhere, as human beings with limited capacity for generating and remembering complex passwords, we reuse the same data again and again in our lives.
The password we chose for our 9-5 workplace may even be the same as our password to access our gmail account at home, Facebook, Instagram or our local coffee shop app.
I too am guilty of this and nowadays I use Apples password management to ensure that all my new passwords are unique, I wish I had the creativity to create and remember a multitude of phrases but I simply can not keep up, my children call this old age!.
Therefore, your data is likely only a password away from being available to a criminal who has all the time in the world to try and identify at least one password in your organisation, to find this password is a $10-20 payment for a user and password list on the Dark web for one of your suppliers (referred to as a third party supplier) who has been already breached, and whose breached data was either in clear text or simply a “salted hash”.
In my previous role I ran a few dark web searches and found the respective data for several of Australia’s major insurers (4 of them) as well as one legal firm, our search redacted the password (I’m not a criminal) but the data was present for the purchaser of the original malicious data file to use in a password attack.
A third party supplier breach of data will create risk for any other place that the same email and password are used.
Passwords are one thing we do not think about that often transcends personal and work place due to our limits on memorising complex patterns that can not be easily related to something we know.
If you do remember many unique passwords and do not reuse these then you are a machine…. but for many of us our passwords are shared over and over with our many subscribed technology services.
Multi Factor Authentication matters a lot
There are a few reasons why passwords alone are not sufficient to protect your information and your access, in no particular order:
- As already mentioned your passwords are probably available on the deep web already, if you have been the subject of a third party supplier breach, in many cases your passwords can be harvested at this time.
- Checking if your credentials have been stolen is easy: https://haveibeenpwned.com and search for your email addresses or contact numbers.
- Passwords tend to have a “service life” of months to years, or forever! meaning that one password harvested at one time can be used many times by a malicious actor to gain access to your personal data.
- Passwords that are not sufficiently complex can be guessed trivially through brute force methods.
- Passwords are often reused – I previously mentioned this, but it is worth mentioning again. If you do this then embrace a Password manager, Apple iOS and MacOS have this built in, Microsoft Edge and Google Chrome also do this. Third party Password Managers also exist like 1Password.
The 99.9% solution to password related cyber attacks
Multi Factor Authentication or MFA for short, is an additional security measure (Factor) added after an authentication attempt has occurred to ensure that the “entity” who entered the user name and the password is in fact the entity that should know the user name and the password.
This factor can be different things but it is considered something that only you can know, maybe an RSA token that you hold where the passphrase changes every 60 seconds, or a bio-metric such as Windows Hello, or finger print on a reader, or it may be an SMS code sent to your phone or an MFA app installed on your device.
This factor changes regularly, unless it is a bio-metric! ensuring that even if a cyber attacker has your user name and password, they still can not access your data.
Multi factor authentication is your silver bullet, the one thing that according to Microsoft reduces your risk of cyber attack by 99.9%
Australian Signals Directorate Essential 8 – MFA
The Australian Signals Directorate essential 8 lists Multi factor Authentication as one of the most critical controls that all organisation must put into practise.
To get started Multi factor authentication is available in all Microsoft Azure Active Directory licensing but to have more capable MFA requires Azure Active Directory P1 or Azure Active Directory P2 licenses. If you use another directory or Single Sign On provider such as Okta, DUO etc they will have their own One Time Password options.
Final notes
There is zero excuse for not having MFA being used for all user accounts, employees need to be aware that MFA is not done to make their lives harder, it is done to save the organisation from a serious and even business ending failure due to cyber breach.
Multi Factor Authentication is one of the easiest controls that can be put in place to enhance security, MFA is not complex to implement and it can be easier for users than remembering passwords, depending on how it has been configured, Windows Hello being an example of security that goes beyond MFA yet provides a passwordless experience for users.
Microsoft, Gmail, Facebook, Apple and many other organisations offer MFA as options on your accounts, it is the best “bang for buck” cyber security control you can put in place today for your home and your business.
Finally, 99.9% reduction in risk from cyber attack is the best “Return on Investment” there is in cyber security.
Contact us here if you would like further information or would like to write for us.
Leave a Reply