From a thief’s perspective, stealing electronic data is the best type of crime there is – it’s easy to transport, there’s almost no risk of violence and you can steal from people who are across the globe from you. All you need is their password – – with it, you can log into their email and send messages as the CEO to the accounting department to have them wire money to your account. You can also remote into the network as the administrator and steal the company’s data to sell it on the black market or just encrypt it to sell it back to them (see our earlier post on ransomware). You just need the password.
Well, there is one very simple way to defeat this in almost every scenario. It’s called multi-factor authentication (MFA) and it is sometimes also called two-factor authentication. The name comes from the number of “factors” required to authenticate you. Your password is one factor (that’s single-factor authentication). But what are the other factors?
There are three types of authentication factors:
- Something you know. Again, this would be a password or passphrase, or in the case of your debit card, your PIN.
- Something you have. This could be anything that you possess – – a cell phone to receive an authentication text, a physical card (again, like your debit card) or a token that generates a new, unguessable number every 60 seconds (you’ve probably seen the ones from RSA on people’s key rings).
- Something you are. This could be anything that is unique and part of your body. Your fingerprint is the most common example, but it could also be your unique iris “print”, your voiceprint, or even the way that you type (yes, they have proven that they can tell people apart very accurately by the way they type (speed, pressure, mistakes, etc.)
So, why is this so useful? So, back to our example of stealing from the person across the globe. Say the victim is in San Francisco and I’m the thief in Singapore and I buy your password off the “dark web” and you DON’T have MFA enabled on your account, well it’s game over for your account. I’m in and I can do what I’d like as you. However, let’s say you DO have MFA enabled and you need to use that number generated by that RSA token on your keyring whenever you log in remotely. When I, as the thief, get prompted for that number, I have no way of knowing it unless I happened to also steal that device from you. But, I’m in Singapore so that’s a pretty difficult thing to do and you’d probably notice it was gone even if I did go through the extreme effort of trying to get it.
Almost all of the cyber thefts that occur involving small businesses are crimes of opportunity committed by threat actors from across the globe. They don’t care who they rob from or where they are located (though the criminals due tend to NOT rob from people in their own countries, whether from a sense of patriotism or a fear of getting caught, only they know). The criminals are “cruising” the Internet knocking on doors (i.e. accounts, servers) until they find one they can steal from. The small business itself is not specifically targeted, they just happen to have the lack of security that the criminal was looking for. However, if you have MFA enabled, they are not going to be able provide that second factor and they will have to move on.
So, how to you enable MFA? The good news is that many services you already use in your business and your personal life, like Office365, your Google account, your gmail, Apple account, Facebook, Twitter, etc. have MFA options built right in for free. You just have to turn them on. For example, I cannot connect a new device (or email client) to my Microsoft Account (which I use with my Windows 10 computer), my work Office365 account or my personal Google account without using a free app on my phone that generates a random number that needs to be entered (exactly the same way as those RSA tokens mentioned earlier).
There are also additional services that can be implemented to secure just about anything running on a Windows server (your remote access, your cloud desktops, etc.). If you have the ability to remote into your network environment, MFA should be a requirement.
That said, there are a few negatives that come with this security. First, it can be slightly less convenient to log into your services. However, MOST MFA implementations are very quick and easy to use and can even be set to only be required when you are out of the office. For example, say you have cloud desktops with 1 Point and you normally log into them from your main office. We can “whitelist” the office network so you don’t get challenged by the MFA service. However, whenever you (or anyone) tries to log in as you from anywhere other than your “whitelisted” office network, they will be challenged for that second factor. (And, yes, we can whitelist your home or vacation house as well).
The other negative that can concerns some people is what if you CAN’T respond to the MFA challenge for some reason? Say you lost your phone on Tuesday and you can’t get a new one until Thursday – – how will you log in on Wednesday? In most cases, depending on the MFA service, we can temporarily disable the MFA requirement until you get your new phone. In our experience, these situations are incredibly rare and there’s almost always a way to get you back up and working again.
Also, from a technical perspective, there is also a negative when using text messages (the ones that send you a one-time code to use to gain access to your account). These are probably the most common type of MFA since they are very easy to implement and very inexpensive to operate. However, it is well known in the security field that these text messages are NOT secure. It is not terribly difficult for a determined thief to “clone” your cell phone number and receive texts that were meant for you. HOWEVER, this assumes two things – 1)the thief actually knows your cell phone number and 2)they are willing to put in the extra effort to steal from you in particular which means you are a high-value target for some reason. Remember, earlier I stated that most small businesses are not specifically targeted, you are just opportunistic victims to the thief. So, unless you are a target for a reason (and you’d probably know if you were), using texts to your phones is an acceptable MFA implementation.
With all of the security benefits and the ease of implementation, there is no good reason not to have muti-factor authentication enabled on your accounts. Your remote access and online accounts will be much more secure with MFA enabled. We would be happy to discuss the options with you to make sure you and your data are as secure as possible.