July 21, 2021//Isa Jones
A crucial aspect of cybersecurity was missing from Colonial Pipeline when a criminal hacking group was able to access a shared internal drive and demanded close to $5 million in exchange for the files: multi-factor authentication.
Multi-factor authentication (MFA), which, according to TechTarget, is a security system that requires two or more methods of authentication from different categories that verify a user’s identity to log in, is a major component of a secure network. Think of it like an ATM, where both a physical card and a personal PIN are needed to access information about any given bank account.
While Colonial Pipeline’s CEO testified to congress that the password hacked was complex — always a best practice — relying on just one form of authentication can leave companies vulnerable, especially as ransomware attacks become more frequent and sophisticated.
No system is one hundred percent safe from attempted attacks, but adding multi-factor authentication, especially if the system — like Colonial Pipeline’s — interacts with third parties — can be a major line of defense. There are many advantages to multi-factor authentication.
1. Multi-factor authentication increases security with third parties and organizations. If you’re a large corporation, like Colonial Pipeline, third parties are likely accessing your systems for a variety of business reasons. Depending on your size, the amount of individuals coming in and out of your system could be in the hundreds or thousands, which isn’t easy to keep track of. Adding another form of authentication — be it mobile, biometric, or physical — creates a layered defense.
2. MFA better controls who has access to your files. Instead of using just passwords, which can be passed around or duplicated, multi-factor authentication helps an organization define who does and doesn’t have access to any sensitive or confidential data. According to the 2021 Ponemon report, 51% of respondents surveyed aren’t assessing the security and privacy practices of third parties before granting them access to sensitive and confidential information. In addition, 65% of respondents haven’t identified the third parties who can access the most sensitive data in their organization. By using two or more factors, it not only limits access, but can ensure that whoever is able to access data is, and only is, the individual listed as having access.
3. It offers a variety of choices to meet your security needs. Multi-factor authentication is made up of three common credentials: What the user knows (a password), what the user has (a security token), and who the user is (a secure biometric verification). While at least two of these credentials need to be employed for multi-factor authentication, which ones and the breadth of access for both parties can be adjusted to meet logistical and security needs of a company. In addition, simple solutions like adaptive MFA, single sign-on, and push authentication can be easily implemented.
4. MFA helps meet regulatory requirements. HIPAA compliance requires that all access to ePHI is for authorized personnel only. Implementing technical safeguards that prevent unauthorized access, like multi-factor authentication, accomplish this while also examining access, another HIPAA compliance requirement. Similarly, various government institutions have to adhere to the CJIS Security Policy, which requires government cybersecurity to implement multi-factor authentication. This security protocol helps protect an organization while meeting external requirements.
5. It takes away password risks. As long as passwords have been employed, they’ve been cracked or guessed. Over 65% of accounts use duplicated passwords, so if a bad agent finds the password for an employee’s email account, there’s a 65% chance they’ve also just found the password for secure or sensitive information deeper in the network. Good practice is to require unique, complex passwords. Better practice is multi-factor authentication.
1. Multi-factor authentication takes more time. Not only does having to enter two or more forms of authentication add time to a process, but the set-up itself can be time consuming. Good multi-factor authentication should be programmed for internal employees and external vendors, and getting everyone set up with the right access and tools doesn’t happen overnight.
2. MFA isn’t free. A business can’t set up multi-factor authentication by themselves. It has to be outsourced. While the initial cost may be high, the cost of a hack is even more significant, at least for Colonial Pipeline who paid $4.4 million.
While MFA comes with its share of cons, it is still considered one of the highest levels of security that all organizations should aim to implement to keep their employees, networks, and customers secure. Here is how some of those cons can be turned into benefits of multi-factor authentication:
For more security best practices, download this checklist for granting network access to third-party vendors.