What You Need to Know About Multifactor Authentication
In May, we saw the ransomeware WannaCry wreak havoc on more than 200,000 computers across the world. The Petya virus, meanwhile — which has affected global brands such as Mondel?z International, advertising giant WPP and oil producer Rosneft — has arrived as another major cybersecurity problem.
WannaCry worked by encrypting targets’ hard drives, only allowing them to recover their files after they paid a $300 ransom. Within five hours, the operators had already received 27 payments, totaling about $7,000.
The high-profile nature of these attacks — and their increased frequency — highlights the fact that nearly everyone who uses the internet is at risk of falling victim to cybercrime. As an entrepreneur, you need to take the proper security measures to keep your network and data safe. A cyberattack could mean irreparable damage to your reputation and financial ruin for your business.
An in-your-face offense is your best defense.
Controlling who has access to your devices and network is a big part of defending against hackers. At present, multifactor authentication (MFA) is one of the more effective tools for limiting access to the right people; it requires users to present multiple pieces of evidence rather than a simple password. It usually takes the form of two-factor authentication, which is something we’re all fairly used to at this point.
Typically, the information you’re required to enter can be categorized as something you know (e.g., a password or your birthday), something you have (e.g., a bank card or phone) or something you are (e.g., using a biometric marker such as your voice).
Obviously, the premise behind this type of security is that while one type of information is relatively easy for a hacker to acquire, it’s far more difficult to obtain two or more types.
We’re now seeing even more advancement in this arena. Swiss security researchers have reportedly found ways to eliminate inconvenience and boost reliability by using ambient noise as an authentication token. Recording three seconds of audio from both the device attempting to log in and the user’s smartphone, the service can cross-check the noise to ensure the user and the device are in the same place. Only then is access granted.
Secure your business — and your money.
It’s clear that MFA is at the crux of the future of security, and from a business perspective, the cost of implementing this security strategy far outweighs the outrageous cost of a full-on data breach. Successfully implementing it requires careful consideration of the following three steps:
1. Prioritize ease of use. It’s important to remember that a security measure is only as effective as the people who use it. A University of Phoenix study found that roughly 52 percent of American adults studied said they prioritize convenience over cybersecurity. If your authentication process is too big a pain, people will find ways to avoid using it when possible, and that’s counterproductive.
Google has supported MFA for years, but last year, it made the authentication process for Gmail and G Suite users even easier. In the past, signing in from a new device required manually entering a code via text message or an authenticator app. Now, users can approve login attempts by simply tapping their phone after receiving a push notification.
In contrast, anyone who’s used tokens has probably experienced the frustration that ensues when you don’t type in your login code fast enough — or, worse, you lose it.
2. Vet vendors. It goes without saying that you want your security solution to be administered, well, securely. That means you need to be able to trust the vendor providing it. Yet, according to a NAVEX Global survey, 32 percent of IT professionals surveyed don’t take steps to assess the security initiatives of the third-party vendors they partner with. That’s troubling, because these companies are just as susceptible to targeted cyberattacks as you are.
Specifically, tyou can ask prospective vendors to gauge their abilities and their fit with your needs. First and foremost, ask what kinds of security practices they take themselves: Do they have policies that take into account a wide variety of scenarios, and do they have recovery plans in place should the worst occur? If a cybersecurity provider doesn’t follow best practices internally, it’s probably not following them externally. So, steer clear.
Second, dig into the business’s general trustworthiness and approach. Have complaints been lodged against the company? How have other customers felt about the service? Seeking references — as well as licensing information and the Better Business Bureau’s assessment of the firm — is a great way to use others’ experiences to inform your own.
3. Determine uptime. An easy-to-use and secure system goes only so far if your employees have to worry about whether they’re able to access it on the job. So, reliability must be a top priority, too. According to research from the National Cyber Security Alliance/Symantec, 66 percent of businesses surveyed reported that they depended on the internet to operate, and nearly 40 percent said they heavily depend on the internet.
That said, an unreliable MFA system could quickly paralyze those businesses — yours too — if employees aren’t able to access the resources they need to perform their jobs. Your MFA system should guarantee a very high level of uptime — 99 percent or better. If the vendor you have in mind can’t offer this, you might need to do more shopping around.
Some businesses may be required by law to have an MFA system in place because of the industry they operate in or the type of service they provide. Others may not need it at all. As a business leader, you should understand how it works, how it’s evolving and whether it makes sense for your organization.