As we’ve discussed a few times in the last few years, cyber-attacks are an increasingly dangerous threat to businesses everywhere – growing both in number and sophistication. Nobody is immune: if your business relies on your network, it is impossible to avoid some amount of risk. So, what can be done about it?
Network security, like all forms of security, is about layers. No single solution can provide complete safety all on its own, but each security measure you add is one more layer in the protective barrier. One such solution you’ve probably heard a lot about recently is Two-Factor or Multi-Factor Authentication (2FA, or MFA).
The concept itself is pretty straightforward. MFA requires multiple authentication factors (so, a password plus one or more additional credentials of some kind) to access a resource or application. The other authentication factors can vary significantly in type: a one-time-use code sent to a mobile device, a biometric like a fingerprint, retinal scan or voice recognition, or answers to security questions.
Simple, right? So simple, in fact, that most people probably already understand it and likely have been forced to either use or opt-out of it by at least one piece of software at some point. This raises one clear question: if we know what it is, and we know (at least in the abstract) that it keeps us safer, why is the MFA adoption rate still alarmingly low?
To help address some of the common questions and misconceptions still out there about MFA, we’re bringing in an expert: Adam Baer, our Director of IT Services.
Isn’t that just used by banks? How does that apply to my business?
Adam: It’s true, banks have been early adopters of MFA. They have a high-value asset to protect… your money. With today’s threats like Ransomware and automated hacking services, the small and medium businesses are becoming a bigger target. It’s important that we all adjust our frame of mind accordingly – if it’s high-value to you, you should protect it with MFA.
Isn’t it a big hassle to use/will my users hate it?
Adam: MFA today has been simplified with the end user experience in mind. There are many options available today that add security while still allowing you to keep things simple. On a day-to-day basis, you could be adding as little as one extra button-press to the process of accessing your network resources, while making your network much more secure.
What if users aren’t carrying their company phone; will they be locked out?
Adam: No, users won’t be locked out. There are several methods to work around this. One solution might be a call to the help desk to get a day-code, while other solutions might include email authentication or a second mobile device.
I use a VPN, do I really need MFA?
Adam: VPNs are often confused with MFA, presumably because they are both security related acronyms. While a VPN provides encryption for remotely accessing a computer network, MFA provides an additional layer of security by prompting for real-time human interaction to access resources. If a “Bad Actor” has your password they can make a VPN connection. MFA will prompt for a second credential and stop their access.
Is the added security worth the cost?
Adam: These days, demand is being driven in part by the insurance industry, who are now including an advanced security assessment in the audits to determine if you qualify for Cyber Liability insurance. The costs to implement added security measures like MFA are coming down as demand increases. More broadly, here’s how I recommend thinking about it. For the most part, MFA is available for a relatively affordable monthly fee. How “affordable” would a security breach be for your business? In many or most cases, the investment makes sense.
