Yesterday, my wife’s Gmail account was hacked. Eventually I recovered it for her, but it took over an hour and veered dangerously close to being irretrievable. If the same thing were to happen to a corporate account within your company, the consequences could be far more painful than an hour of someone’s time.
Which is why your business should do exactly what I did after I’d reclaimed my wife’s account: I set up two-factor authentication (2FA).
Two-factor authentication is the use of something besides just a username and password to identify you. Typically, it’s a code sent by text message or generated through an app on your phone, but it could also be biometrics—think of the way Apple’s Touch ID sensor on an iPhone authenticates payments for Apple Pay.
It took me just a few minutes to set up 2FA on my wife’s Gmail account. Is it much harder for businesses? To answer that question I turned to Steve Manzuik, director of Security Research at Duo Security.
ReadWrite: As in the case of my wife, often security is something companies address after a breach. Recent mega hack breach examples remedied after the attack by two-factor include Apple (celebrity photos stolen from iCloud), Bitly, Evernote, and even the investment bank, JP Morgan. While these companies should be applauded for applying two-factor after the fact, how can we convince companies to proactively prepare?
Manzuik: There are a few reasons for companies to take this seriously, some obvious, and some not so obvious.
First, your company’s board is not going to blame the CIO or CISO [chief information security offficer] for the breach. They’re going to blame the CEO.
Breaches are no longer a technology issue. They’re a core business issue. According to a recent survey of 200 corporate directors conducted by the New York Stock Exchange and the security company Veracode, more than two in five respondents said that CEOs should face the brunt of any breach-related backlash.
Second, the security industry is notoriously complicated and expensive. Very savvy companies like JPMorgan are investing a quarter of a billion dollars a year—doubling over the next five years to half a billion dollars—to block future breaches when there’s little data to support the actual value of these expensive services and products. What are the rest of us to do?
Third, most breaches happen not because of sophisticated cybercriminals burrowing into companies in complex ways, but rather because of lost or stolen employee credentials, according to the annual Verizon Data Breach Investigations Report. Yes, it’s almost certain that someone in your company is using 123456 as his password.
Bet on it.
RW: OK. So walk our readers through how two-factor works.
SM: Two-factor authentication stops easy access with stolen credentials by requiring a second level of authentication after the user enters their username and password. Since a password is something that a user knows, ensuring that the user also needs to have something else to log in thwarts attackers.
In the past, this second factor of authentication could have been a token with a numerical code, a smart card, or a text message sent to your phone.
Modern two-factor authentication takes advantage of push technology found on smartphones to allow users to authenticate with the tap of a finger like swiping your phone to hail an Uber ride (the same Verizon breach report I noted before points out that your smartphone poses a “negligible” threat for cybercriminals to exploit).
By requiring a second factor of authentication after the password, two-factor can prevent attackers from accessing your systems with passwords captured with a spear phishing email (phony email that looks like it came from your bank, for example).
It can also mitigate the damage from many other attacks by making it difficult for cybercriminals to use login credentials that are harvested through other means, such as malware.
In effect, two-factor means you will be notified any time hackers try to log in no matter how they stole your credentials so you can take immediate steps to protect yourself from any further damage.
RW: I get it, because I’ve seen it work. But what are the primary selling points for two-factor for a business?
SM: Let me name three.
First, two-factor requires little user education.
Too often, implementing security solutions requires employees to perform unnatural acts in the workplace. The “solution” imposes unrealistic expectations on people trying to get their work done. Security should be designed to function in a frictionless way so employees don’t notice it.
Complex solutions drive employees to not participate or, worse, find ways around the systems supposedly implemented to protect them. This, of course, decreases the overall security of an environment.
Complexity is the enemy of security.
A properly designed two-factor solution requires minimal interaction with employees and seamlessly integrates in to day-to-day activities without annoying everyone every day.
Second, with two-factor, no IT admin training is required. There are no complex IT processes to implement.
Most security solutions come with the overhead of installing and configuring systems just to monitor and manage the solution, not to mention budgeting for expensive outside experts to provide ongoing maintenance, monitoring, and customization of that solution.
In sum, organizations are forced to hire additional internal security team members and invest tons of money in employee training just to run a solution that’s overly complicated, probably ineffective and most likely outdated within a year.
Modern two-factor systems do not require specialized training for employees or expensive consultants to implement. In addition, two-factor is more than just a passing security technology fad. It’s been a security best practice for decades. It’s future proof.
Lastly, two-factor simplifies password policies.
In a failed attempt to prevent passwords from being easily guessed, the security industry rushed to implement standard protocol for strong passwords.
Over the years, the protocol has called for even more complicated passwords. Today average users not only struggles to create what we call a “strong password” but they also have no hope in actually remembering that password.
How do employees typically react? Just like you, most people write their “strong password” down and leave it in plain sight or they re-use passwords across multiple websites for convenience. That way they only need to remember a single password, making it much easier for cybercriminals to wreak havoc.
The cycle continues. But it doesn’t have to.
Why are companies turning to two-factor after they’re breached? It’s simple, it’s affordable, and it blocks the majority of attackers from accessing your company’s valuable data.
But it’s better to be smart before the breach and see if two-factor makes sense for your company. After 20 years in the business of battling hackers, I don’t think there is any better bang for your security buck.
Photo by Tim RT