If you look at the biggest data breaches of the past few years, many of them didn’t rely on sophisticated technology to gain access to sensitive systems and data. They just stole a legitimate user’s login credentials or tricked users into handing over their passwords. Some hackers will simply use social media to acquire personal information about their targets, who continue to use birthdays, anniversaries and children’s names for passwords.
In fact, the 2017 Verizon Data Breach Report found that 81 percent of data breaches could be traced back to weak or stolen passwords. And it only takes one compromised password for a hacker to get deep into a network and create chaos. Experts recommend that organizations implement multifactor authentication (MFA) to better control network access and reduce the risk of a breach.
The traditional username-password method is an example of single-factor authentication, which requires users to match one factor to verify their identity. Multifactor authentication requires two or more factors from independent categories to verify user identity. There are three general categories of factors: something you know, such as a password, PIN or an answer to a question; something you have, such as an ID card or a security code delivered via email or text; and something you are, which typically involves a form of biometric identification, such as a fingerprint, retina scan or voice recognition.
Time and location can also be used as additional authentication factors to alert administrators to login attempts by unauthorized users. Most devices have GPS capabilities and the time of a login attempt is easy to track. If someone uses legitimate credentials to attempt a login from an unusual location at an unusual hour, the account could be locked until the user’s identity is verified by other means.
The idea is that a hacker can easily steal credentials from one category to complete a successful login, making single-factor authentication ineffective. However, it would be extremely difficult to use multiple factors from different categories. That’s what makes MFA a powerful tool for enhancing cybersecurity.
You’d think MFA adoption would be virtually universal, but many organizations are concerned about employee backlash. In a new study from Decision Analyst, 63 percent of organizations said their employees resist MFA implementation. At the same time, 25 percent of employees continue to use the same password for every account, and IT teams don’t know who has access to what systems because users are often approved for access without going through a formal review process.
IT teams need to get executive buy-in and push for MFA. Organizations also need to develop ongoing security training so that everyone understands the risk of poor security practices. Senior management needs to make sure employees recognize that careless and irresponsible activity, whether it involves creating weak passwords or clicking suspicious links, puts the organization, its customers and the employees themselves at risk. An extra step when logging in is a minor inconvenience compared to a data breach.
If you’re still relying only on usernames and passwords to prevent unauthorized access into your network, you’re making the job of a hacker that much easier. Let us help you implement and manage MFA to reduce risk and keep your critical IT assets secure.