Being logged in as a user (especially if they have admin privileges) can allow a criminal to send out phishing emails from your company account to your staff and customers. The hacker can also infect your cloud data with ransomware and demand thousands of pounds to give it back.
How do you protect your online accounts, data, and business operations? One of the best ways is with multi-factor authentication (MFA).
It provides a significant barrier to cybercriminals even if they have a legitimate user credential to log in. This is because they most likely will not have access to the device that receives the MFA code required to complete the authentication process.
WHAT ARE THE THREE MAIN METHODS OF MFA?
When you implement multi-factor authentication at your business, it’s important to compare the three main methods of MFA and not just assume all methods are the same. There are key differences that make some more secure than others and some more convenient.
Let’s take a look at what these three methods are:
The form, that people are most familiar with is SMS-based. This one uses text messaging to authenticate the user.
The user will typically enter their mobile number when setting up MFA. Then, whenever they log into their account, they will receive a text message with a time-sensitive code that must be entered.
ON-DEVICE PROMPT IN AN APP
Another type of multi-factor authentication will use a special app to push through the code. The user still generates the MFA code at login, but rather than receiving the code via SMS, it’s received through the app.
This is usually done via a push notification, and it can be used with a mobile app or desktop app in many cases.
The third key method of MFA involves using a separate security key that you can insert into a PC or mobile device to authenticate the login. The key itself is purchased at the time the MFA solution is set up and will be the thing that receives the authentication code and implements it automatically.
The MFA security key is typically smaller than a traditional thumb drive and must be carried by the user to authenticate when they log into a system.
Now, let’s look at the differences between these three methods.
MOST CONVENIENT FORM OF MFA?
The main reason why Users don't want to have MFA setup is because they often feel that MFA is slowing them down. This can be worse if they need to learn a new app or try to remember a tiny security key (what if they lose that key?).
This user inconvenience can cause companies to leave their cloud accounts less protected by not using multi-factor authentication.
If you face user pushback and are looking for the most convenient form of MFA, it would be the SMS-based MFA.
Most people are already used to getting text messages on their phones so there is no new interface to learn and no app to install.
MOST SECURE FORM OF MFA?
If your company handles sensitive data in a cloud platform, such as your online accounting solution, then it may be in your best interest to go for security.
The most secure form of MFA is the security key.
The security key, being a separate device altogether, won’t leave your accounts unprotected in the event of a mobile phone being lost or stolen. Both the SMS-based and app-based versions would leave your accounts at risk in this scenario.
The SMS-based is actually the least secure because there is malware out there now that can clone a SIM card, which would allow a hacker to get those MFA text messages.
A Google study looked at the effectiveness of these three methods of MFA at blocking three different types of attacks. The security key was the most secure overall.
Percentage of attacks blocked:
WHAT’S IN BETWEEN?
So, where does the app with an on-device prompt fit in? Right in between the other two MFA methods.
Using an MFA application that delivers the code via push notification is more secure than the SMS-based MFA. It’s also more convenient than needing to carry around a separate security key that could quickly become lost or misplaced.
LOOKING FOR HELP SETTING UP MFA AT YOUR COMPANY?
Here at Ashgates IT, the first thing we suggest and check for with any client is that Multi-factor authentication is not just enabled, but enforced. If you are looking to bolster your security then come and have a chat with us and we would be happy to discuss getting this setup.
IASME ran a scheme called IASME Governance. It was frankly cumbersome and a complete pain to do and some have tried to avoid it. Some clients are not of the size or complexity to justify a ISO27001 stream and you don’t currently require it.
All of this is now simplified with Cyber Assured set to replace IASME Governance. It maps ISO27001 but in a much easier manner. Marking and certification is also simplified so we don’t have to write such tedious reports. This lowers cost and makes it easier.
Cyber Assured will launch in July and if you have Cyber Essentials then it might be worth coming to us to have a chat about it so that we can provide you with more information.
We have recently assisted with 2 of our clients in becoming Cyber Essentials Certified - taking them through the whole process from assessment, to betterment and finally to certification!
There are more revisions to Cyber Essentials next due in October however, IASME the body that administers Cyber Essentials, is pushing the government to toughen the law around cyber security. This is generally in harmony with the governments thinking and so we wouldn’t be surprised to see legislation soon.
In particular IASME are lobbying for a clause within a digital services bill to force all Managed Service Providers (MSPs), IT companies to you and us, to have Cyber Essentials as a minimum. This makes sense because if IT companies aren’t protecting their assets they are putting at risk all clients. With an average of 100 clients in a MSP the potential is huge for cyber criminals.
Maybe now is the time to check if your current IT Provider has Cyber Essentials and if not, why not? If they can’t answer then maybe it is time to change provider!
Ashgates IT are Cyber Essentials certified and we are more than happy to assist others in becoming so as well. Please feel free to get in touch if you require guidance on becoming Cyber Essentials Certified!
The leak of information about the Russian hacking group “Conti” by a Ukrainian hacker reveals some interesting information on how they operate. This is likely to be common across a number of organisations and although sometimes 17 year old kids in Oxford are responsible for hacks the majority is led by organised gangs.
These cyber criminals often work just like regular small businesses (except they are much more profitable). The Conti gang look like they employ 62-87 salaried people working a 5 day week – they even have a HR person!
Here is a brief synopsis of how they work:
The two takeaways:
It may seem like there is no way to stop hackers based on the information on this post but rest assured there are options that can certainly put up a good fight against them - simple things such as third-party anti-virus software, firewalls, backup software and of course user training as well.
Please feel free to get in touch with us and we would be more than happy to discuss what options are available for your business.