The past two years have seen record-breaking levels of cyber crime and related losses. As technology becomes ever more integrated in society and criminals become more sophisticated, this trend can only be expected to continue. The common denominator in many successful attacks often boils down to one thing: human error. Whether it’s clicking the wrong link, failing to install updates, sharing a password, or even leaving an electronic device where it can be easily stolen, when it comes to cyber crime, we are often our own worst enemy. In fact, an estimated 95 percent of cybersecurity breaches are due to human error, and these errors are costly. According to IBM, the average total cost of a cybersecurity breach in 2023 was $4.45 million, a 15 percent increase over three years. Fortunately, one of the most effective cybersecurity methods is also the easiest. Don’t give up the keys to your kingdom – protect your data by implementing multifactor authentication whenever possible.
What is multifactor authentication?
This cybersecurity principle goes by several other names, including strong authentication and two-factor authentication (2FA). Multifactor authentication, often abbreviated to “MFA,” is the practice of using more than one method of authentication, (i.e., credentials) to verify a user’s identity before accessing sensitive information.
The three most common types of credentials are:
- Something you know: password, passphrase or PIN number, etc.
- Something you have: security token or app, verification (text, call or email), or a smart card.
- Something you are: specific computer location or network, biometric security such as a fingerprint, facial or voice recognition, etc.
These credentials can be thought of as multiple types of “keys” that all go to the same door. While the idea of wading through multiple locks may sound frustrating for end-users, in the virtual landscape it can be an extremely effective security tool. In the case of cybersecurity, adding just one extra lock to the proverbial door to your organization’s data can mean the world of difference when other more traditional credentials become compromised.
Protect your data by implementing multifactor authentication
The most common example of MFA today is the combination of a username and password (things that you know), which is then followed by a one-time randomly generated verification code (something you have) sent to a secondary, trusted device by either text, call or email. This system has a variety of benefits:
- Speed – It requires only one extra step to successfully log in.
- Ease of use – Since verification codes are randomly generated and only used once, it does not become an additional piece of login information you are required to remember.
- Effectiveness – Just one additional piece of verification information can make it exponentially more difficult for thieves and potential hackers to gain unauthorized access to your systems.
- Alerts – If you receive an unsolicited MFA verification code or request, this may be a sign that your traditional credentials have been compromised and someone is attempting to hack into your account. This warning would then allow you to immediately alert your service provider and update your compromised username or password.
When to protect your data by implementing multifactor authentication
The short answer is: always. If MFA is available, it should be enabled immediately, and if it’s not readily available, it should be implemented as soon as possible through alternate means. Remember, the more locks that are on the door, the harder it is for a thief to gain entry.
In more specific terms, the following types of accounts should always be required to be safeguarded through the use of MFA in your organization’s cybersecurity policies and procedures:
- Storage of sensitive or personally identifiable information
- Primary email accounts
- Financial accounts or storage
- Health records accounts or storage
It is strongly recommended that your organization require that these and similar types of accounts to be protected with MFA at a minimum. Employees and volunteers should also be encouraged to become familiar with the concept of MFA and make use of it in all the systems they use while carrying out their duties.
Our own worst enemy
Remember, human error is often the greatest common denominator when it comes to successful cybercrime. It’s not a question of “if” someone in your organization slips up – it’s “when.” That being the case, making sure there are additional locks on your sensitive data – and extra “keys to your kingdom” – can make a big difference between a successful cyberattack and a thwarted breach when traditional credentials are compromised. As cybercrime and losses continue to escalate, protect your data by implementing multifactor authentication whenever possible.
For more information regarding cybersecurity, please refer to the following publications from the Cybersecurity & Infrastructure Security Agency (CISA) as a part of Cybersecurity Awareness Month 2021:
CISA: Cybersecurity 101
CISA: Phishing & Spoofing
CISA: Creating a Password