Recently, Datto hosted a webinar discussing cybersecurity trends small businesses can expect to see in 2023. Datto reported a 300% increase in cybercrimes since the pandemic, with ransomware affecting over 80% of small businesses in Q4 of 2021. What is a key solution to keeping small business systems safe?
“MFA, MFA, MFA.”
While you may have heard this common acronym, it’s crucial to understand what MFA is, how it works, and why your small business needs it. So, let’s get started!
What is the meaning of MFA?
Multi-Factor Authentication (MFA) is a security technology requiring authentication from two or more methods when logging in to an online account via computer, laptop, mobile phone, or another device. Submitting the correct credentials verifies your identity, allowing you to complete your sign-in securely.
Previously, two-factor authentication (2FA) was relied on to secure online accounts, which only involved two authentications in gaining access. As the cybersecurity landscape continued to develop, businesses saw the benefit of implementing additional layers of security to ensure top-notch security against any cyberattack attempt.
Ultimately, MFA’s purpose is to provide a layered defense that blocks unauthorized people from accessing an account, device, or application. If someone can hack through one factor, there are two or more barriers to break through for the breach to be successful.
How Does Multi-Factor Authentication Work?
When you reach any login portal, you enter your username and password. This is the first authentication layer you go through. If that’s the only security you have enabled for your accounts, hackers can use a brute force attack, a trial-and-error hacking method to crack passwords, and gain access to the account, device, or application.
You can implement several combinations of authentication to secure your accounts. Your options are:
- Something you know
- Something you have
- Something you inherit
Something you know
A knowledge-based form of authentication will usually be a PIN or a security question, such as your first pet or mother’s maiden name. This layer verifies who you are by asking for information only you would know - be sure to keep that information private. Don’t use any personal information that could easily be found on social media.
Something you have
A badge or a fob will be something you possess to scan and pass through once security authenticates it. If you don’t wish to carry another device, some apps provide one-time passwords (OTP) or push-based notifications you can receive on your phone to confirm user identity.
Something you inherit
Biometric factors are the strongest, but most expensive, MFA factor. To pass the biometric level, voice authentication, fingerprint scan, retina scan, or facial recognition are required. A reader, database, and software collect and transfer the biometric data to compare match points.
It is difficult for hackers to bypass biometric MFA factors because they usually are in a separate location and replicating inherited features is challenging, especially when the scanning technology is so precise.
Location and time-based authentication are two additional factors in verifying your identity. However, these are not popular methods because hackers can easily deceive the system into thinking they are in the required location. Nonetheless, location and time-based authentication factors do provide efficiency and record-keeping in case you need to verify who logged into the system.
Watch out for MFA Fatigue from hackers!
While MFA is a strong security solution in the fight against hackers, many users have experienced MFA Fatigue on their devices. MFA Fatigue is when a hacker floods a user’s authentication app and device until the user finally concedes, unknowingly giving the hacker access to their device.
Here’s how it works:
- Before overwhelming the target’s MFA app, the hacker will obtain their credentials on the Dark Web, phishing email, or using a brute force attack.
- Once they have the credentials, they’ll trigger multiple notifications for MFA to your device, hoping to eventually wear you down.
- If gaining your approval takes longer than usual, a hacker will sometimes pose as a member of your IT department to convince you to give them access.
- If successful, you will either let them in by mistake or out of annoyance to stop the app from going haywire.
MFA Fatigue is mainly used for push-based notifications (something you have), which is typical for MFA employees because it requires minimal effort and time spent logging in. Push-based notifications come from an app downloaded onto your mobile device. You receive a notification that sends you straight to the app, and a pop-up appears showing information about someone attempting to log in, including the location and time of the attempt. If it’s you, you’ll press the “Approved” button (some may also show a green checkmark), if it’s not you, you’ll push the “Denied” button (which may also appear as a red X).
With the hacker’s relentless pursuit to get into your account, you need more security than strong passwords and push-based notifications. As a result, multiple, meaning more than two, factors must be utilized to keep your data safe.
Do I need MFA for my small business?
According to Sentinel One, 54% of SMBs admitted to not utilizing MFA to secure their employees' sensitive information. Considering 61% of small businesses were a target of a cyberattack in 2021, the lack of implementation of MFA could be the cause.
Small businesses tend to think that because of their size, they aren’t as big of a target as larger corporations when the opposite is true. Since SMBs often don’t implement proper security and awareness, they become easy prey and fall victim to hackers’ tactics.
Small businesses need to utilize MFA to protect their employees, clients, and sensitive data from prying eyes. For MFA to be effective, it must be implemented across the entire company, not just for the “important” logins. Added security for certain logins becomes a red herring, leading the hacker straight to their next payday.
Every login should be layered with several authentication methods to ensure total security for any account, especially if your employees tend to recycle the same usernames and passwords.
MFA is the best bouncer for your logins
When appropriately used, MFA can become a vital tool in preventing a cyberattack on your company. Experts predict cyberattacks will continue to rise in 2023, meaning MFA measures must be enabled on all platforms, even those your employees don’t use daily.
Do you need better security for your SMB? Our team can lend their expertise and support you by offering security assessments, tools, resources, and staff training. Contact us today to learn more about our cybersecurity practices.