ENHANCING AND COMPLEMENTING THE EFFECTIVENESS OF MULTIFACTOR AUTHENTICATION
Based on our experience, we have witnessed first-hand the shock that many leadership teams and boards experience after deploying multifactor authentication (MFA) tools, yet subsequently sustain a cyber breach.
What is the promise and purpose of MFA? In brief, it is an approach to information security that requires a user to present two or more credentials, to reasonably establish that they are who they purport to be, before being granted access to corporate email accounts, devices, databases, systems or assets. For example, a user might be asked to type in something that she knows, such as a pre-established password, and then asked to confirm that she is in physical possession of a preidentified device, such as her mobile phone, by entering a code that has been generated within the prior 30 seconds by an application on the phone.
So how can a cyber incident still be possible? After all, MFA is lauded as an important tool for reducing the risk from hackers. In fact, it is increasingly required by insurance carriers as a prerequisite to writing a cyber insurance policy, recognising that it can be as important of a risk mitigation tool as wearing a seatbelt in a car.
However, while the deployment of MFA can reduce the risk of a cyber breach, the mere act of deploying MFA does not eliminate such risk. In tracking hundreds of crime syndicates, we have observed that motivated threat actors frequently identify ways to bypass less sophisticated implementations or incomplete deployments of MFA, and have successfully exploited other security vulnerabilities, to gain unauthorised access to corporate systems.
On the other hand, we have also observed that the companies with the strongest defences typically use a layered approach to information security, leveraging MFA as an important element of their defence stack, while layering on other defences as well.
Jan-Mar 2022 Issue
Charles River Associates