Security controls are not optional and after another cyber security breach that led to a business I have worked with (not as their security consultant) suffering a “CryptoJacking” event where they lost $40,000 US dollars I though the following comment might be necessary.
MFA as a Security Control
Multi-factor Authentication, as a security control it is one of the most basic yet necessary controls and must be fully implemented in order to reduce the risk and possible extent of a compromise.
Question: In what scenario would the reason for the most basic security control being signed off as “Risk accepted”, because of user resistance?
Answer: Across far too many small and mid sized businesses in Australia and Asia today.
Common reasons include: “Our users won’t accept MFA” or “Our users won’t won’t have the Microsoft Authenticator app on their device”.
Then seriously, require your people to work from the corporate offices where you can implement network security controls, or get new employees.
As Joel Dickins wrote recently, some of our customers lost 10s of thousands of dollars due to password compromises and it needs to stop happening!