Multi-factor authentication (MFA) is a cyber security protocol that requires users to provide two or more verification factors to gain access to a device, software application, online account, or other digital resource. With MFA “installed” it will ensure that devices and accounts cannot be accessed, even if hardware (smartphone, laptop, etc) and/or a single password falls into the wrong hands. It’s an effective method, but in 2022 (and beyond) businesses are wondering if MFA offers the same peace of mind that it once did. IT experts don’t think so, because cybercriminals are now designing their attacks around MFA.
But how can a cybercriminal possibly get around the need for a secondary or tertiary code/pin that only the intended user has knowledge of? Namely through social engineering, which references a broad range of malicious activities executed through human interactions. Phishing schemes that attempt to trick email recipients to giving up the goods (authenticator data) are a prime example, as are SMSishing (phishing via text) and Vishing (phishing via voice/ phone call). Furthermore, they are using your staff’s fears about cybersecurity as the means to break through the walls of MFA. They pose as tech-support personnel for a partner provider with an emergency contact to state that they require access to protect an account from a current attack. They may also pretend to be an executive from within your own company – even you!
Cybercriminals are not just leveraging their talents with code, they are executing psychological warfare on your company staff. So is MFA enough? No, it isn’t. Below is what else your company needs to do.
What Else Your Company Can Do to Protect Against Cyber Attacks on Staff in Addition to Multi-Factor Authentication
Train Staff (Executives Included) in What to Watch Out For
Create a company-specific handbook about social engineering and phishing prevention and share it with your staff so that they are educated on what the tactics are, how to identify them, and how to avoid falling prey. This handbook should also identify who the top five targets are within your organization. The manual must also establish an easy to follow reporting procedure for staff if/when they receive suspicious communications that request MFA data access. Please note that the entire organization will need training, whether in-office, on the floor, or working remotely from home or abroad.
Don’t Allow Requests for MFA Data
Let all account holders know that you (or a non-designated party) will never ask them to provide a password or PIN via email, SMS text, or through telecommunication. In fact, MFA data should only be known by a singular account/device holder and a singular IT security personnel. The latter should only be permissible for a company-provided device. For company-provided devices, a request for MFA data can only be made in-person or via a form of communication that audibly and visually confirms the IT security personnel’s identify, such as Zoom. But even then the MFA password or pin must be sent in a separate communication to prevent it being captured by a “listening” intruder.
Err…Install MFA
This might be embarrassing for some business owners reading this. The entire subject assumes that you’ve instituted an MFA protocol for all company-wide devices in the first place. There’s a good chance that you haven’t, especially if staff is permitted to use their own devices. Recent data finds that over 43% of surveyed IT security decision-makers and practitioners do not have MFA deployed in their companies. That’s nearly half! If you haven’t already, do so. If unsure, inquire with your IT department today, or consult with a managed services provider (MSP) to receive an outside audit.
Get Better Cyber Coverage
There are over half-a-million new malware strains being detected every single day. Moreover, cybercriminals are working around the clock to subvert existing MFA protocols with more clever phishing schemes. Despite strict adherence to the advice provided above, your company will invariably experience a cyber attack in some shape or form in the future. The only way to truly prepare your business, is to secure the most comprehensive cyber insurance coverage possible. View cyber insurance coverage currently available to BC companies, and please do contact Park Insurance to schedule an appointment to discuss the best option(s) for your organization.