The growing importance of Multi Factor Authentication
Each organisation, regardless of the size and the sector in which it operates, must handle every day huge amount of data. The confidentiality of these data must be ensured at any time.
Protecting the company information assets represents one of the most urgent and crucial challenges the top management is currently facing. This challenge lies in the ability to protect critical resources from illicit or unauthorized accesses.
The exponential acceleration of remote work processes made it necessary to carefully reconsider access methods to data and resources, within a risk management strategy which can no longer be limited to the defence of the company’s physical perimeter.
Smart-working: digital identities at risk
Along with the increment of smart-workers (which increased, in Italy, from 570 thousand to 8 million during the lockdown period [1]), has been noticed a relevant increment of cyber-crime to the detriment of users and, in particular, of their identities.
Analysts even talk about a “cyber-war”, describing the large number of attacks occurred in recent months. Phishing and credential theft are the most widely used techniques, which lead to increasingly sophisticated and effective attacks.
According to the last report published by Verizon [2], more than 80% of the data breaches tied to hacking involved the use of lost or stolen credentials or brute force.
The interest of criminals towards personal information, especially if these data are connected to privileged accounts, is more evident in the era of smart-working. Consequently, identity theft represents an actual threat, constituting a low-risk, high-reward type of crime from the hackers’ point of view, but extremely harmful to those who become victims.
MFA: the combined approach to access security
In the light of the situation we are experiencing, it is crucial to take preventive actions, strengthening primarily the security of access to data and company resources.
The cornerstone of an effective platform of Identity and Access Management (IAM) is Multi-factor Authentication (MFA), which combines multiple layers of security to the login procedures with the aim to significantly reduce the risk of unauthorised accesses.
MFA requires two or more identification credentials to gain access to a protected system. More in detail, identification credentials come from three categories, which are:
- Something the user knows: password, PIN, security questions, etc.
- Something the user has: smartphone, token, badge, smart-card, one-time-password, security key, etc.
- Something the user is: fingerprint, facial/voice recognition, etc.
Traditional authentication methods, relying only on a single username and password, are no longer sufficient to grant a level of security suitable to the risk, being highly vulnerable to breaches and hacks.
Suffice it to say that, as a recent study conducted by Kaspersky [3] reveals, one in two users admits not to remember his passwords and not being able to verify whether his credentials have been compromised.
Moreover, the tricks put in place by users represent equally incorrect behaviours, for example the transcription of passwords on an agenda, on a post-it stuck to the monitor, on a file stored on the PC or on a USB stick.
Outdated authentication methods, combined with careless user behaviour, constitute a significant risk to information assets, both personal and corporate ones.
IAM + MFA: the winning combination for security and compliance
As recently recommended also by Gartner, an optimal risk management can not be separated from the implementation of multi-factor authentication mechanisms upholding an effective Identity and Access Management system.
Please be aware that any other network-side security measure, such as antivirus, firewalls, vulnerability testing, malware detection systems, becomes useless against a holder of valid but stolen credentials.
In fact, an apparently authentic login represents an undisturbed access route which can be exploited for a long time and for several unlawful intents, from data theft to industrial espionage.
By strengthening authentication mechanisms through the request of different factors, identity theft becomes a difficult crime to commit. Even if an attacker is able to uncover the first information (such as a password), the absence of the second factor (for example, a token which is possessed only by the user, or his finger print) will make the crime much more difficult to accomplish.
To date, in Italy, only 38% of companies claim to integrate access management with multi-factor authentication [4]. This percentage is higher than the global average (27%) shown in the CISO Benchmark Report 2020, but still rather low for a technology capable of bringing significant benefits for company security. However, the Italian data stands as the highest at EMEAR level.
The adoption of IAM systems combined with MFA mechanisms allows also to bring together security with compliance needs, since access protection and strong authentication techniques are gradually becoming regulatory requirements. GDPR, NIST standard, PSD2 are examples of legal realities which are gradually integrating, directly or indirectly, MFA among the conditions of compliance. These regulations will approach access security as the first necessary element to grant identity protection and online transactions security.
In a time when risks are emphasized by the management of a distributed workforce, acting in a preventive way protecting access security is no more an optional choice. At the opposite, the implementation of strong authentication mechanisms at the basis of IAM systems must be considered a systematically necessary security measure. This point of view must now be covered by business continuity plans and crisis management. Only from this perspective, cyber security procedures may result in a broader strategy of cyber-resilience, in which data protection, through Identity and Access Management, becomes the first critical element toward business security.
Contact us to learn how MFA functionalities of Monokee can help you to protect the confidentiality of your data, by reducing risks, time and costs connected to Identity and Access Management.
____
[1] Data from Osservatorio Smart Working – Politecnico di Milano.
[2] 2020 Data Breach Investigations Report – Verizon.
[3] Defending digital privacy: taking personal protection to the next level – Kaspersky/Toluna 2020.
[4] CISO Benchmark Report 2020 – Cisco 2020.