Posts

The growing importance of Multi Factor Authentication

Each organisation, regardless of the size and the sector in which it operates, must handle every day huge amount of data. The confidentiality of these data must be ensured at any time.

Protecting the company information assets represents one of the most urgent and crucial challenges the top management is currently facing. This challenge lies in the ability to protect critical resources from illicit or unauthorized accesses.

The exponential acceleration of remote work processes made it necessary to carefully reconsider access methods to data and resources, within a risk management strategy which can no longer be limited to the defence of the company’s physical perimeter.

Smart-working: digital identities at risk

Along with the increment of smart-workers (which increased, in Italy, from 570 thousand to 8 million during the lockdown period [1]), has been noticed a relevant increment of cyber-crime to the detriment of users and, in particular, of their identities.

Analysts even talk about a “cyber-war”, describing the large number of attacks occurred in recent months. Phishing and credential theft are the most widely used techniques, which lead to increasingly sophisticated and effective attacks.

According to the last report published by Verizon [2], more than 80% of the data breaches tied to hacking involved the use of lost or stolen credentials or brute force.

The interest of criminals towards personal information, especially if these data are connected to privileged accounts, is more evident in the era of smart-working. Consequently, identity theft represents an actual threat, constituting a low-risk, high-reward type of crime from the hackers’ point of view, but extremely harmful to those who become victims.

MFA: the combined approach to access security

In the light of the situation we are experiencing, it is crucial to take preventive actions, strengthening primarily the security of access to data and company resources.

The cornerstone of an effective platform of Identity and Access Management (IAM) is Multi-factor Authentication (MFA), which combines multiple layers of security to the login procedures with the aim to significantly reduce the risk of unauthorised accesses.

MFA requires two or more identification credentials to gain access to a protected system. More in detail, identification credentials come from three categories, which are:

  • Something the user knows: password, PIN, security questions, etc.
  • Something the user has: smartphone, token, badge, smart-card, one-time-password, security key, etc.
  • Something the user is: fingerprint, facial/voice recognition, etc.

 

 

Traditional authentication methods, relying only on a single username and password, are no longer sufficient to grant a level of security suitable to the risk, being highly vulnerable to breaches and hacks.
Suffice it to say that, as a recent study conducted by Kaspersky [3] reveals, one in two users admits not to remember his passwords and not being able to verify whether his credentials have been compromised.
Moreover, the tricks put in place by users represent equally incorrect behaviours, for example the transcription of passwords on an agenda, on a post-it stuck to the monitor, on a file stored on the PC or on a USB stick.

Outdated authentication methods, combined with careless user behaviour, constitute a significant risk to information assets, both personal and corporate ones.

IAM + MFA: the winning combination for security and compliance

As recently recommended also by Gartner, an optimal risk management can not be separated from the implementation of multi-factor authentication mechanisms upholding an effective Identity and Access Management system.

Please be aware that any other network-side security measure, such as antivirus, firewalls, vulnerability testing, malware detection systems, becomes useless against a holder of valid but stolen credentials.

In fact, an apparently authentic login represents an undisturbed access route which can be exploited for a long time and for several unlawful intents, from data theft to industrial espionage.

By strengthening authentication mechanisms through the request of different factors, identity theft becomes a difficult crime to commit. Even if an attacker is able to uncover the first information (such as  a password), the absence of the second factor (for example, a token which is possessed only by the user, or his finger print) will make the crime much more difficult to accomplish.

To date, in Italy, only 38% of companies claim to integrate access management with multi-factor authentication [4]. This percentage is higher than the global average (27%) shown in the CISO Benchmark Report 2020, but still rather low for a technology capable of bringing significant benefits for company security. However, the Italian data stands as the highest at EMEAR level.

The adoption of IAM systems combined with MFA mechanisms allows also to bring together security with compliance needs, since access protection and strong authentication techniques are gradually becoming regulatory requirements. GDPR, NIST standard, PSD2 are examples of legal realities which are gradually integrating, directly or indirectly, MFA among the conditions of compliance. These regulations will approach access security as the first necessary element to grant identity protection and online transactions security.

In a time when risks are emphasized by the management of a distributed workforce, acting in a preventive way protecting access security is no more an optional choice. At the opposite, the implementation of strong authentication mechanisms at the basis of IAM systems must be considered a systematically necessary security measure. This point of view must now be covered by business continuity plans and crisis management. Only from this perspective, cyber security procedures may result in a broader strategy of cyber-resilience, in which data protection, through Identity and Access Management, becomes the first critical element toward business security.

 

Contact us to learn how MFA functionalities of Monokee can help you to protect the confidentiality of your data, by reducing risks, time and costs connected to Identity and Access Management.

____

[1] Data from Osservatorio Smart Working – Politecnico di Milano.

[2] 2020 Data Breach Investigations Report – Verizon.

[3] Defending digital privacy: taking personal protection to the next level – Kaspersky/Toluna 2020.

[4] CISO Benchmark Report 2020 – Cisco 2020.

CYBER (IN)SECURITY: perception and mitigation of a global threat

Data and cyber security, as an intangible concept, has been relegated for a long time to a marginal position within organizations. The ongoing technological evolution did not go hand in hand with the development of risk-awareness and the need to adopt appropriate countermeasures with regard to cyber security.

However, the threat has assumed an unprecedent scale. Even those who considered data security a relatively insignificant point are starting to take into account the risk of becoming victims of attacks, even more numerous and difficult to contain.

CYBER SECURITY: between subjective and objective security

Ever-growing attacks

The scenario described in the latest Clusit Report in terms of IT security, at Italian and international level, is far from reassuring.

The year 2019 is defined as “the worst year ever”, during which “has been passed a point of no return” regarding cyber security.  In fact, we are witnessing a very rapid evolution of threats, actors and attack modes, capable of causing increasingly severe and successful effects toward their targets.

The data outline a growing trend: globally, the number of serious attacks registered during 2019 has seen a difference of +37.5% compared to the average number of annual attacks recorded in the last six years. With the same classification criteria, the number of attacks of public domain occurred in 2019 has seen an increment of +91.2% compared to the same data of 2014.

In the vast majority of cases (83%) the cause of the attacks nowadays is Cybercrime, risen by +12.3% compared to 2018 and by +163% compared to 2014.

However, the Clusit Report stresses that these data represent only a part of the real number, since they only cover the successful attacks, or at least those of which victims are aware.

Cyber-risk: in first place among the concerns of business leaders

Several reports start to detect an evolution of the perception with regard to the risk of being victim of a cyber-attack. This awareness, especially from a business point of view, is becoming increasingly widespread and evident.

According to the Regional Risk for Doing Business Report 2019 published by World Economic Forum, the global concern related to cyber-risk has increased substantially, moved into second place among the fears more felt by business leaders, compared to the fifth place recorded in 2018. In Italy and in Europe this concern ranks even in first place.

Similarly, the risk of fraud or data theft is in the top 5 in Italy, while at the European and global level is positioned respectively in sixth and seventh place.  To be note out that, until 2012, cyber-attacks were not even categorized into this Report, but only marginally mentioned as “new risks to consider”.

Following the same approach, the BCI Horizon Scan Report 2019, published by the Business Continuity Institute, states that the concerns related to cyber-attacks and data breaches rank respectively in first and second place (globally) among the threats more felt by organizations. The data, confirmed also for 2020, had never been in apical position in the previous years.

Although from a different point of view, the same concept emerges from the research conducted by Netwrix in October 2019, focused on the priorities of IT professionals for the following year. Both at Italian and global level, the first place is occupied by data security, as a reflection of the concern registered about the risks (perceived and real) in the field of cyber-security. It is worth noting that, in the Italian case, the second priority in the ranking is the data privacy, which is instead in fourth position at a global level (anticipated by automations of manual operations and awareness of cyber-security among the employees).

At the basis of this ongoing change of direction there may be several motivations.

First of all, from a financial perspective, the impact of a cyber attack within the organization would result in severe economic repercussions.  The damage caused by a service interruption is made more serious in case of a data breach or disclosure of personal data as GDPR states. The penalties imposed by the European Regulation are as much as €20million or up to 4% of a company’s annual worldwide turnover.

Another relevant element, both in terms of time and resources, is the cost of containing an attack, especially if this attack derives from previous weaknesses concerning the structure, the equipment and the business consciousness of the risks.

Furthermore, it is necessary to consider the reputational damage, which is not quantifiable but is able to considerably undermine the corporate image, the customer loyalty and the credibility built in time.

MFA: the importance of a risk-based approach

After a first achievement in risk awareness, it must now take immediate further action to implement appropriate strategies in order to mitigate the exposure to threats. In this way it is possible to bring together subjective and objective security.

Awareness and corporate training must be supported by appropriate governance procedures, event and incident management, with the aim of detecting any attacks without delay, by adopting effective strategies of containment and recovery.

Regarding to this, the latest Clusit Report highlights the importance of protecting and regulating access to data and critical resources, through the most effective techniques. According to the Report, Multi-Factor Authentication (MFA) is described as “the most promising avenue”, strong and difficult to bypass today available. The possibility to combine different authentication methods, by adding to accesses and transactions further layers of security, makes system compromise more complex and harder to gain, keeping company data safe.

Among the different urgencies of the moment, it is necessary to keep in mind the importance to strengthen the protection of company resources from illicit or unauthorized access, by promoting a risk-based approach.

Nowadays, data protection goes beyond a physical defence of the enterprise perimeter, moving toward the protection of information, intangible resource but not secondary.

Therefore, the consolidation of a risk culture, properly supported by preventive technical and organizational measures, is the most beneficial approach in this scenario of uncertainty, capable of turning business challenges into opportunities.

 

Discover how Monokee MFA features can help you avoid unauthorized access to your business data.