Why not MFA? Global password report points to simple wins
Before national governments and regulators caught up with data breach incidents, many companies were, it seemed, slow to inform the public that they’d been compromised.
When the Australian authorities made the reporting of significant data breaches mandatory, rather than voluntary, the number of incidents flagged by the victims jumped 712 per cent!
Organisations of all sizes and nationalities are clearly unenthusiastic about revealing that their data hygiene policies are slack — it’s terrible PR, given that just about every aspect of our lives is now online, and intimate secrets are represented in data susceptible to attack.
Australia’s data governance regulations are probably some of the most stringent in the world, so the global figures representing data security are probably hiding much of the problem. Those figures are, likely, further swollen by the fact that “good” hackers tend to cover their tracks, so many organisations never even realize their data has gone walkabout. It’s often third-party researchers or bodies like Enzoic that bring incidents to light — too often, to the victims’ surprise and shame.
Even if businesses become aware that they’ve been attacked, that realisation can come — on average — 204 days after the event. In that time, the attackers have had, effectively, free rein with the organisation’s data.
Statistics like those above are covered in 3rd Annual Global Password Security Report by LogMeIn, a company with a significant stake in the cybersecurity game, (its LastPass solutions have been featured on these pages before, and one that’s used its global reach to pull figures from all over world, regarding cybersecurity policies, practices and attitudes to passwords, and Identity and Access Management.
But before we delve into some of the regional differences the report uncovered, it’s probably worth noting that it’s the smaller organisations (fewer than 1,000 employees) that are the least organised in terms of passwords, multi-factor authentication and security policies. And, they are the worst when it comes to risky practices, like password sharing and use of duplicate passwords.
There are three ironies there, the first being that the majority of cyber-attacks affect the small or medium-sized business (indeed, are the favoured targets of bad actors), and second, the costs of bolstering security does not mean adding a significant technical or financial overhead to the business— small businesses don’t need big business cyber protection budgets.
But the third and predominant irony of the Password Security Report’s findings concerns passwords. Because the main access point into systems is via passwords, securing this front line is vital. Password management systems such as MFA (multi-factor authentication) are cost-effective, scalable, simple to use, and take many would-be victims out of the firing line. Typically, MFA solutions are categorised by:
– being easily adopted for use in the workplace,
– in many cases, already being used by employees in their private, online activities,
– and the fact that MFA simply doesn’t feel like a security ‘hurdle’ that has to be jumped.
It’s worth noting (and this drives the point home) that hackers play a “numbers game”— if stealing data is made difficult, they’ll look — and quickly find — an easier, less-protected victim. Presented with a company protected by MFA, most hackers simply move on.
Ask a layperson which industries would be best protected against bad actors, and those with most to lose would probably be top of the list: financial companies, banks, fintech suppliers and the like. However, the LastPass report showed that insurance companies rank last in a league table of industries when it comes to average security score. And while the financial sector ranks second in a similar table of habits, it’s a vertical that only gets average metrics, sharing passwords internally as much as anyone else.
As you might expect, the tech companies tend to fare well against other industry verticals, but the security issues created by evolving attack methods mean even the most security-astute company can’t rest easy. And there’s variance between similar, service-provision companies. Marketing companies’ employees have nearly twice as many passwords to remember as, for instance, educators.
The more passwords an individual must remember, the worse the data hygiene. People tend to use the same password everywhere, or a small number of slight variations on a theme. Unfortunately, that can have the effect of even the highest security defences effectively overcome after a successful low-security, easy hack. Once the data that opens the portal to the local book club’s data has been stolen, the door is wide open for the bad actor to enter the club member’s employer’s financial management systems.
A 2019 Verizon data breach report showed that stolen and re-used credentials were implicated in 80 percent of hacks. The chain is, it seems, only as strong as its weakest password.
MFA, Single Sign-On, biometrics and apps
The solution for many of these issues is simple (and as we saw earlier, costs a fraction of the cost of a cyber breach). Just by using a password management app on a phone, tablet or laptop (or all three), and/or using the same or similar app as a second authenticating factor, the chances of breaches happening are slashed immediately.
The LastPass report showed that while 57 per cent used an additional authenticator (like Google Authenticator or LastPass Authenticator, for example), there’s still clearly much progress to be made.
While it’s probably not 100 percent correct to present degrees of security, it’s probably worth differentiating between two-factor authentication (2FA), and its “more secure” bigger sibling, multi-factor authentication (MFA). A secondary authentication method might be a security “dongle” like those used by some banks to further verify users’ identities, for example.
But some enterprise MFA solutions, like LastPass MFA, combine a second authentication method (the app) with an additional check — in this case, a fingerprint or facial scan. That’s the golden trio comprising: something you know (a password), with something you have (a linked app on a phone), and something you are (a biometric “print”).
The Global password report shows that the use of MFA is most prevalent in Northern Europe (France, the UK, Germany, Belgium, etc.), followed by Australia and the US. It’s the southern Europeans who are most lax in terms of data security, it seems, with attitudes (and security scores) in countries like Spain and Italy at their worst.
A solution adopted by some organisations is single sign-on (SSO), whereby a single, confirmed and secure authentication (through 2FA or MFA, for example) by a member of staff gives access, at pre-determined levels, to all the systems to which he or she needs access. That negates some need for employees to remember dozens of credentials, for example, but it’s a tool used in fewer than 50 percent of companies, according to the Security Report.
Ironically, SSO is more common in larger businesses (more than 1,000 employees), but it’s smaller business employees that tend to have to remember more system passwords — on average 85 passwords per employee, compared to big business’s 25 passwords per employee.
Of course, companies can’t avoid security issues by careful choice of trading partners (only selling to Belgian companies, for example!). Data and commerce are genuinely global, and our concepts of physical borders are mostly irrelevant online. Therefore, it’s probably worth considering the figures in the LastPass report as part of the picture painted overall, which is that irrespective of where you live, and where you trade, there’s a great deal of ground to make up in terms of cybersecurity.
There’s a lot to learn from the LastPass Security Report. With a range of protection that ranges from a personal password management app to full Active Directory integration for MFA, there’s no excuse for still being the highly attractive target that many still will remain.
With low or no resistance from users to adopt safer authentication methods, low costs and seamless integrations, isn’t it about time every company in the world adopted MFA? We think so.
- Is it time MSPs become business facilitators? Site24x7 thinks so
- Why Savvy Businesses Should Use a Digital Experience Platform (DXP)
- Zero-trust security in the age of infrastructure as a service (IaaS)
- Exploring the business case for low-code development
- How marketing needs an enterprise’s-worth of data to personalize