Deploying multi-factor authentication is a foundational step to improve identity security for organizations in today’s complex threat landscape. The enormous amounts of data collected and retained by organizations makes every business a potential target. For security teams, the goal is to successfully navigate the threat landscape and eliminate vectors cyber criminals target to compromise systems to gain access to resources. SecureAuth advises organizations to integrate multi-factor authentication (MFA) into their identity and access management program to protect users and strengthen enterprise security.
By implementing multi-factor authentication (MFA), organizations can better protect intellectual property, systems, applications, data, and the privacy of users. Organizations must have the ability to verify with confidence each user requesting access to resources before granting access and privileges.
What is the Risk
The Identity Theft Resource Center identified in their Annual Data Breach Report for 2020 the following:
- 1,108 total data breaches occurred with 144,757,076 individuals impacted
- 107 data exposures with 155,805,443 individuals impacted
- 878 cyber-attacks reported with 169,575338 individuals impacted
- Business Email Compromise (BEC) attacks cost companies more than $1.8B in 2019 – the average loss grew 48% in the first quarters of 2020
- 44% of cyber-attacks were the result of Phishing/Smishing/BEC attacks
- The average ransomware payout was > $233,000 per event in Q4 2020 compared to > $10,000 in Q3 2018
- Business Email Compromise (BEC) attacks cost companies more than $1.8B in 2019 – the average loss grew 48% in the first quarters of 2020
The Identity Theft Resource Center recommends the following with respect to stolen credentials:
Do not reuse passwords – one unique password per account
- Upgrade to a passphrase that is at least 12 characters long
- Use Multi-factor Authentication (MFA) when possible
- Consider creating online accounts so cybercriminals cannot create on in your name
- Use a password manager if needed
Each of these recommendations has merit. But multi-factor authentication stands out as the strongest recommendation. By implementing MFA to protect resources, organizations can move beyond simple username + password credentials to establish a stronger user identity verification process. Securing resources from portals and applications to systems with multi-factor authentication exponentially increases security and should be considered a requirement for a robust identity and access management practice.
Why Passwords Create Risk
The main challenge with passwords is human behavior. Users are the weakest link in a security profile when an organization relies on user-name + password. In our 2020 State of Identity Report, we gathered data from over 2000 respondents with respect to their security and privacy habits. Among those who are using the same password for more than one account, most are using it across 3-7 accounts (62%) and 10% say they are using the same password across 10+ accounts. This type of user behavior creates tremendous risk for all the accounts users access.
The challenge for organizations is a large majority of users like their passwords. The Identity Report revealed that in the workplace 34% of people in leadership positions admit to using one of the top 10 most common passwords – ABC123, Qwerty, 123123, Admin, etc., to access business resources. This password behavior creates substantial risk by making it much easier for cyber-criminals to compromise an account. Multi-factor authentication would elevate the risk created by this poor password behavior.
Why User Verification is Critical
More businesses employ virtual, remote and contract workers than ever before. Gartner projects through 2024, remote workers will represent 30% of all employees worldwide, representing an increase of 13% over 2019 to nearly 600 million employees. Gartner also projects that by the end of 2024, the change in the nature of work will increase the total available remote worker market to 60% of all employees, up from 52% in 2020.
These workplace changes are impacting organizations and their people driving the need for secure and efficient access to key business systems, applications, and resources. A distributed workforce creates the need to upgrade an organizations security posture. Zero Trust security frameworks are gathering momentum as organizations manage cloud services, SaaS applications, and remote workers. Instituting MFA should be a requirement across the workforce as part of a Zero Trust framework. With an evolving workplace landscape and changing user expectations the need for simple, effective, and secure access is more important now than ever before.
MFA Without Disruption
Organizations need a flexible Identity and Access Management service that enables customizable workflows for users, user groups, applications, and systems in order to deliver strong security along with a great user experience.
With a highly flexible MFA solution, security teams can deploy authentication workflows for different resources based on established risk thresholds. Admins can leverage the flexibility to build workflows that meet the expectations of users and the business. A users’ authentication journey can easily be created based on policies established for the resources being accessed. Businesses can decide what type or if MFA is required for certain resources. Perhaps MFA will only be required if something appears out of the ordinary. The flexibility to embrace a prescriptive approach and deploy simple or complex authentication workflows based on the resource removes the “all or nothing mentality” many organizations perceive when it comes to MFA.
Users deserve and expect a great experience without any compromise to security. The perception that MFA is disruptive stems from how organizations have historically deployed MFA – often as a ‘one size fits all’ solution. The objective is to not impact productivity by designing user authentication workflows that appropriately assess risk. If workflows are overly stringent relative to the associated resource, the process will most likely be viewed as disruptive impacting users and the business.
Of course there is no “silver bullet” when it comes to access control. A good IAM solution will enable admins to create user journeys utilizing MFA methods that meet the security requirements of the business and the experience expectations of users. Therefore, having flexibility in a IAM solution is essential. In some cases, users don’t need to be prompted for MFA each time they log in. MFA should never be seen as an obstacle or hinderance by users. When done right, MFA will improve the user experience and eliminate the need for passwords (depending on the factors utilized) creating a passwordless experience ultimately providing an outstanding user experience in addition to strong identity security.
The Value of MFA
As technology continues to advance, so to will the methods cybercriminals use to execute attacks on users and systems. To mitigate risk due to the increasing threat of cyber-attacks, many businesses are putting a priority on appropriately protecting their systems and data. One simple and yet extremely effective method for protecting valuable resources (and a business’ reputation) is to implement multi-factor authentication as part of your identity and access management practice.
Consider your overall security posture and assess if your access management capabilities map to your strategic initiatives and business objectives. Is the user experience creating challenges that impact your objectives? Can the security team create workflows specific to users and resources? Will your current solution support your needs in 3-5 years from now?
Identity security is not a set it and forget it proposition. The security landscape is constantly changing and new users, apps, and systems will always lie ahead. The team of experts at SecureAuth can help you assess your current-state and provide guidance and recommendations based on your desired future-state. If you are just getting started with your access management program or looking to sharpen the functionality and capabilities of your existing environment, SecureAuth is here to help.
Request a demo or contact SecureAuth to learn more about Identity Security, Multi-factor Authentication, Adaptive Authentication, Passwordless, and Continuous Authentication.
