Everyone has information that they want to protect which must remain confidential. These days it’s quite likely that this information sits in an account that is accessible on the internet and is at increased risk of exposure. This information doesn’t have to be a business account - how about personal email accounts such as Gmail? I know people that live out of their personal Gmail account - the one place which contains every email, document and contact that they have. If their password fell into the wrong hands it would be a disaster and unfortunately account breaches are now part of everyday life.
In fact, your account details including password may have already been exposed in a data breach. You can use the following site to check: Have I Been Pwned?
Most cloud services provide additional protection against unauthorised account access with what’s called multi-factor authentication (MFA) or more specifically two-factor authentication (2FA), as it commonly involves having a password and one additional piece of information to prove your identity. The second factor, something you have, is generally a hardware token or your mobile phone through use of an app, like Google Authenticator or via an SMS code. If your password is compromised, it means that your account still has an additional layer of protection and can't be accessed without your phone. Most cloud services have this MFA functionality built in. It should be noted that some MFA methods aren’t as secure as others. SMS codes for instance are susceptible to being hijacked, because porting a phone number is not difficult. Hardware tokens or authentication apps are preferred.
Is MFA enabled on your LinkedIn or personal email account? If even one person enables MFA on their LinkedIn account after reading the blog, I'll give myself a pat on the back and break out into the happy dance. Think Gangnam style with a healthy dose of dabbing thrown in.
When it comes to business services, MFA is often overlooked, putting critical business information at risk. If the same username and password is used across many services the risk of exposure is even greater. Often this means a mix of on-premises and cloud systems that use the same credentials and are quite likely accessible from the internet. This same sign on functionality is convenient, but means that if account details are phished, data may be exposed across many systems. Access to one set of credentials could spell disaster for a business.
Protecting business cloud apps is easy, often it's just a case of enabling it and enrolling your device. Some applications are even starting to make it mandatory. Xero for instance is now enforcing MFA for all logins, in line with new ATO recommendations. You may have noticed this also happening for bank account and other government logins.
What about other applications sitting on server based infrastructure? These still make up the majority of applications for many businesses. It’s not always easy to implement MFA on these systems, so companies can sometimes put the implementation into the too hard basket and move on. Unfortunately putting your head in the sand is not an effective risk mitigation strategy, trust me, I'm an expert. If these systems are exposed to the internet then they should almost certainly be protected with MFA. If a particular application does not support MFA then a typical solution is to not expose it directly to the internet and put it behind an MFA enabled gateway or VPN.
MFA is still one of the most effective controls a company can implement to prevent an attacker from gaining access to an account and the sensitive information it contains. At a minimum it should be in place for all internet facing services, and additionally for any access to internal systems containing sensitive data and for anyone performing privileged actions such as administrators. I know we are probably still building trust in our relationship, so if you can’t take my word for it, take a look at the essentials strategies from the Australian Signals Directorate. They have a great maturity model built around their Essential 8 strategies.
Colin has over 20 years consulting experience working with organisations ranging from small business to large enterprises. He has consulted in the United Kingdom, Canada and Australia. He specialises in Microsoft based technology solutions, disaster recovery implementations and information security.