I am often asked by clients and my partners alike, “What is the #1 thing companies should be doing to secure their data and systems?” Usually when I get requests to boil down everything involved in my practice area to one topic, I balk. And for good reason. However, this one is easy.
Multi-Factor Authentication or “MFA.”
After entering an ID (email address) and password, MFA simply requires a user to receive and enter a second form of authentication sent via a mobile text, a phone call, email, or from a security token to gain access to systems or accounts. Because the hacker attempting access likely does not have access to both forms of authentication, the access is denied. Attack stopped. The overwhelming majority of the data security breaches we at Taft have managed in the past year could have been stopped in their tracks by the victim simply having MFA in place. That is not an exaggeration. I would estimate almost 85% of these incidents or actual breaches involved stolen or guessed credentials for an employee. That is all it took to gain access to a VPN, an email account, you name it.
Don’t believe me? Look no further than May’s Colonial Pipeline ransomware attack that shut down the pipeline for days (a good reminder that security is not just about the confidentiality of data—it is about access as well). The “hack” was really just a hacker having a user password and finding an account the company had failed to delete once nothing was left to stop the hackers from getting in and installing ransomware. And it is not that hard to understand why. Passwords, today, are not enough. Even strong ones.
- Most employees use short, uncomplicated or “weak” passwords that are easy to guess or crack using software.
- Most employees use the same passwords on personal accounts that they use on their work accounts. So, when the passwords to their personal email or social media accounts are stolen or disclosed through a major breach, so is the same password to a work-related website or remote access to company email.
So, when a hacker has your email address (not hard to get) and can easily enter a password procured on the Dark Web, there is nothing to stop them from accessing the account. Not unless you have a second factor of authentication required. We have written on this topic incessantly here at PDS Insights over the years going as far back as 2017. While security is never a completed job and involves so much more than one technical safeguard, it is very hard to argue that this simple one is not a game changer. In one company and our country’s case, this game changer could possibly have saved millions of dollars and days of disruption for businesses, consumers, and the government.
MFA. Please. Do it. NOW.