A study by password manager provider LastPass found that only 26% of U.S. companies are using one of the more vital forms of password security – multi-factor authentication (MFA).
MFA is the implementation of another requirement for account authentication. In most cases, this will be a time-sensitive code being sent to a user’s pre-registered device. The user must then enter that code to complete login and be granted access to a cloud app or website.
Adding multi-factor authentication to cloud services is the best way to prevent an account breach. In fact, it’s 99.9% effective, according to Microsoft, at preventing fraudulent account sign-ins.
But if it’s so effective, why don’t more companies use it? One major reason is user pushback on the added inconvenience. Employees don’t want to take that extra step to log into all their accounts.
However, the “inconvenience” of a cloud data breach is much worse. Once a bad actor manages to breach an employee login credential they can:
- Steal sensitive company data
- Plant malware
- Use business email to send out phishing attacks
- Change security settings
- Lock your company users out
- Access credit card details
- Access company details that enable identity theft
See our article on best practices for implementing MFA.
It’s Time to Implement MFA. Here’s Why.
Multi-factor authentication is an important part of a zero-trust approach for network security, and because of the recent trends in cyberattacks, it’s more vital now than ever to implement it. Here are the reasons why.
Credential Theft Has Become the #1 Cause of Data Breaches
In the latest IBM Security Cost of a Data Breach Report, the number one cause of data breaches has become compromised credentials. This means that unsecured online accounts are riskier than network brute force attacks, malware delivered email and other dangers.
With most data and business applications now moving online, this means that the best way to get to that data or cripple a business with ransomware is through a cloud account.
Trying to hack into a provider like Microsoft or Google isn’t doable for most cybercriminals because those companies spend millions of dollars in security every year to fortify defenses. So, the best way in is through a legitimate user login, which bypasses security designed to keep hackers out.
They steal user credentials in a number of ways:
- Phishing emails that trick users into logging into fake sign-in forms
- Purchasing lists of user logins on the Dark Web from large database breaches
- Infiltrating a company network and device and finding passwords stored in an unsecured manner (a plain text document, for example)
The Main Target of Phishing Is Credential Theft
Another statistic that tracks closely with the last one is that out of all the phishing attacks being emailed every day, the most popular target is user passwords.
People receive an email that looks like someone they know might be sharing a OneDrive or Dropbox document. They click the link in the email and are taken to a cleverly spoofed version of the legitimate login page.
As soon as they log in, automation takes over and in a split second, their account is hacked, and data is being stolen.
Phishing attackers use various methods like this to trick users into giving up their passwords.
Privileged Credentials Have Become Big Targets
While hackers will take any user login credentials that they can get their hands on, those that are most prized are for privileged users. These are users that have higher permission levels in a system.
For example, a privileged user might have “admin” credentials and have the ability to add and remove users, change passwords, access company payment details, and more.
Privileged credential abuse is now involved in 74% of data breaches.
Multi-Factor Authentication Is the Easiest Way to Overcome Poor Password Habits
No matter how much training people have on password security, they tend to fall back into old habits. People will create weak and easy-to-remember passwords, use the same password several times in different accounts, and store passwords in an unsecured way.
Here are some of the bad password habits that contribute to breached accounts:
- The password “123456” is used by approximately 23 million accounts, still!
- 51% of people reuse the same password across personal and work accounts
- 57% of people that fell for a phishing attack, still have not changed their passwords
- 52% of people rely on memory for managing passwords
MFA is not reliant on a user adopting good habits. It significantly boosts account security by implementing that one additional step of requiring the one-time, time-sensitive code.
A vast majority of hackers will not have access to the device that receives the code, thus even if they have the user’s login, they can’t breach the account.
Get Help Implementing MFA & Other Important Protections
Don’t leave your online accounts and data unprotected! AhelioTech can work with your Columbus area business to implement multi-factor authentication and other password and account security best practices.
Contact us today for a free quote. Call 614-333-0000 or reach out online.