Consider this: One of your employees, let’s call him James, is attending a conference in Philadelphia. While waiting for the next speaker, James decided to catch up on email from work. Since he doesn’t have great cell service, he checked the available Wi-Fi and found one that looks legitimate as it bears the name of the conference. So, he joined the network and logged into his Office 365 account to reply to some emails. Just like that, James has unknowingly entered a cybercriminal’s network and allowed the attacker to monitor his work activities and steal his credentials. The attacker has infected several of his contacts with malware, which your clients have traced back to your company, severely damaging your reputation and ruining your business. James, as you might have surmised, doesn’t have Multi-Factor Authentication (MFA) on his device.

At the recent RSA Security Conference, Microsoft’s Director of Identity Security, Alex Weinert, revealed that nearly 1.2 million Microsoft enterprise accounts will be compromised each month. 99.9% of those compromised accounts do not have Multi-Factor Authentication. Weinert also stated that among enterprise cloud users, there is only an 11% MFA adoption rate. Essentially, 89% of users have not enabled the most effective tool against cyberthreats within their organization. This is exactly the case with one of this year's high-profile cyberattacks—Colonial Pipeline, the largest fuel pipeline in the U.S., fell victim to a major cyberattack because of an account that didn't have MFA.

Despite security measures improving by leaps and bounds, cyberattacks remain (and will continue to be) a looming threat to your business.  It is National Cybersecurity Month, and it's important to stay vigilant and put a spotlight on security to protect your IT infrastructure. Let’s talk about the importance of secure access management and effective policy implementation so you and your team can all play your part and start leveraging MFA to protect your business against threats.

What is Multi-Factor Authentication, and Why Do I Need It?

Simply entering your username and password to access your accounts is not secure (at least not anymore in today’s digital world). It is only a matter of time before a hacker could crack your passwords using trial-and-error methods on advanced application programs or brute force attacks. With Multi-factor authentication (MFA) you are required to enter two or more pieces of information to gain access to an account. This added layer of security makes it that much harder for hackers to gain access to your data. For instance, instead of just stealing your password, they now must steal your cell phone as well.

MFA provides an additional layer of security by requiring two or more different forms of authentication (a.k.a. authentication factors) rather than just a simple username and password combination. These authentication factors include:

  • Knowledge factors—something you KNOW, such as a password or an answer to a security question
  • Possession factors—something you HAVE, such as a mobile device, a smart card, or a proximity badge
  • Inherence and Location factors—something you ARE, biometrics such as your fingerprints, facial characteristics, or voice recognition, and your geographic position

Microsoft and Google, two of the most-attacked platforms in the world, have both gone on record to say that MFA will stop 99.9% of account attacks. You have to do your part and make sure that you are leveraging MFA to protect yourself as well as your most vulnerable access points, i.e. your employees. Encouraging your team to prepare for the worst is actually a proactive strategy—one that requires teamwork augmented with the capabilities of a reputable Managed Service Provider (MSP).

The TNS Group can be a great resource to get started on deploying MFA for your business. With Duo authentication for Palo Alto GlobalProtect, we can help your business to start using MFA to control access to internal IT systems and solutions, as well as customer-facing applications. Whether you work in financial services, healthcare, insurance, logistics, or nonprofit, you can benefit from using MFA to protect against data leakage, fraud, and abuse.

You Need MFA for Your VPN and Email!

Enforcing MFA for all your corporate applications including email, remote desktop, and VPN connections will protect your corporate network from malicious attacks and cybercriminals trying to steal and sell your credentials on the dark web. Your organization’s VPN keeps your corporate network secure, so enforcing MFA for the VPN connection adds extra layer of security to your entire corporate infrastructure.

Let’s back up a little bit… What is a VPN? A Virtual Private Network (VPN) extends the private network of your office across shared or public networks for your off-site users. Essentially, a VPN creates a private tunnel from a device to the internet and hides your virtual data through encryption. Encryption scrambles your data and makes it unreadable, therefore protecting the information being transmitted from anyone trying to eavesdrop on your activities. How? Your device’s internet connection is routed through the VPN’s private server rather than your internet service provider (ISP); when your data is transmitted to the internet, it comes from the VPN rather than your computer, encrypted and undecipherable to hackers but accessible to you. All devices connected to the VPN reap the security and functionality benefits of your private network.

Remember James from our story earlier? Well, browsing the web, emailing, exchanging passwords, credentials, and other sensitive information, and all the other activities he was doing on his device could be exposed to his hacker as James was conducting his activities on a Wi-Fi network created by the hacker. That’s why it is imperative that organizations and their employees utilize a VPN especially in this age of working from anywhere.

As valuable as VPNs are, however, they’re not the antidote to all cyberattacks. Protecting your organization’s VPN against user credential theft with MFA adds an additional layer of defense. When defenses are layered in-depth, with Duo Mobile’s sophisticated MFA protecting your VPN, you can:

  • Protect against phishing threats and reduce the risk of data breaches
  • Authenticate all users accessing your organization’s applications or files
  • Establish a consistent log-in process for both VPN and cloud services
  • Gain actionable insights into your team's access devices, and more

How to Effectively Roll Out MFA

Anything new is often perceived as a disruption in the way things are normally done. For your employees, implementing MFA could mean complaints from users who run into problems while trying to do their job. To help simplify the transition, we’ve outlined our approach to successfully secure your work environment with MFA. Choosing to partner with an award-winning MSP will make the transition easier, seamless, and more cost efficient.

  1. Before getting technical, remember that securing your organization through MFA is a job for everyone, because you need to maintain your day-to-day business operations amid the transition.
  2. Sell employees on the idea and provide training opportunities along the way. Acknowledge feedback as well as resistance as part of the 'process.' Your staff needs to understand that MFA is there to protect them (not there to ‘spy’ on their activities).
  3. Awareness is key. Put up infographics, send email broadcasts, provide FAQs and training videos, explaining why you’re making the transition to MFA. Make it very clear what they will need to do and where they can find instructions, documentation, and support.
  4. Perform a risk analysis and create a prioritization matrix of all business-critical systems. This process is necessary in determining where in the company’s IT environment and in what order MFA needs to be implemented.
  5. Ensure users are registered for two or more MFA methods, so they have a backup in case one is unavailable. Avoid using SMS if possible—the service is not encrypted, vulnerable to phishing, and prone to outages. Phone-based authentication apps like Duo Mobile do the job and won’t require your staff to hand over control of their personal device. Using biometric identifiers such as fingerprints, iris scans, and voice patterns, is a great option too.
  6. With Bring Your Own Device (BYOD) policies becoming the norm, you have to enroll all your mobile devices in your MFA solution.  Secure them through Mobile Device Management (MDM)—your MSP can significantly help you with that too.
  7. Plan for failed sign-ins and account lockouts. Human errors are bound to happen—your staff will not always get their sign-ins right. You need a trusted partner to make it easy for them to get help and get back to work quickly.
  8. Plan how you will handle lost devices. Encourage immediate reporting of any lost or stolen devices by making the process convenient and friction less. You want your team to be able to disassociate a lost device or key from their account as soon as possible. Speed of recovery is critical to minimize downtime.

MFA isn’t a switch you flip, as Microsoft put it; it’s a commitment toward cybersecurity and business continuity. Approached the right way, it’s by far the most effective layer to secure your business against cybercriminals. If your workforce has gone remote and you fear you might be lacking these extra layers of security, contact the security experts at The TNS Group today. We are here to protect your organization’s network from malicious attacks and help educate your employees on the importance of MFA to ensure working from home is not a business risk.

Categories: Managed Service Provider, MSP Blogs