Whenever a business considers the security measures it can implement, three options always crop up: antivirus on endpoints and servers to detect and eliminate as many threats as possible; backups to ensure that any data lost in an incident such as a ransomware attack can be recovered; and device encryption to prevent confidential data from being obtained by attackers.
However, these are not the only options available.
The problem with passwords
One such option, readily available today, has not yet received the attention it deserves, but is nevertheless becoming increasingly necessary. It is known as two-factor authentication (2FA), and is an ideal solution for helping to protect a large number of online services if the access credentials of a business are compromised.
Let’s face it, no matter how many times we try to drum home the importance of creating robust passwords, the majority of users will only be able to remember a small number of them (and opt for easy to remember passwords).
“DESPITE ITS EASE OF USE, IT REMAINS AN UNDERUTILIZED SECURITY MEASURE IN BUSINESSES.”
This is why it is necessary to integrate a new layer of security, which is where 2FA comes into play. While individuals are using it more frequently, and at an increasing rate, it remains an underutilized security measure in the corporate sector.
In fact, according to the latest ESET Security Report, only 11% of businesses in Latin America have implemented two-factor authentication.
No-one wants social network accounts, personal email, or gaming libraries stored on existing distribution platforms that can be accessed without permission, which is why we have seen a steady increase in the use of 2FA by end users, with mobile devices being the most popular choice to use as a secondary identification device.
In the business world, however, most users who connect to a corporate network via VPN or access their work email accounts remotely, are still doing so by simply authenticating with a username and password. For many years, this security measure has proven to be ineffective on its own, which is mostly down to users’ shortcomings in managing their passwords.
So when unauthorized access to confidential business information is as simple as waiting for a user to access the corporate network remotely or work email via an unsecured connection, it means that something is being done incorrectly and, worse still, that the relevant measures to prevent this have not been implemented.
Enter two-factor authentication (2FA)
Using a single data item to authenticate to a system is practical, but not the most secure. To prevent data theft or leakage, applications have been developed to provide two-factor authentication. These applications are easy to use and add an additional layer of security to prevent the theft or leakage of credentials resulting from stolen sensitive information or unauthorized access to a company’s internal network.
“MANY OF THE ATTACKS IN RECENT MONTHS COULD HAVE BEEN PREVENTED IF TWO-FACTOR AUTHENTICATION HAD BEEN IN PLACE.”
But despite their ease of use, very few businesses have implemented two-factor authentication. One of the main reasons is most likely being unaware of this security measure, which is something that should be resolved by an awareness campaign to comply with the European Union’s new General Data Protection Regulation (GDPR). Fortunately, it not only affects businesses in that area, but also those who store the data of users from the the European Union.
Systems with an implemented 2FA solution vary, but normally an automatic SMS message or application that generates access codes is used. Once the password has been entered, the system will request this code and, in some systems, an application (separate from the web browser) is used to enter the code.
Two-factor authentication systems in conjunction with the traditional password system are much more secure than simply using credentials. Many of the attacks that were made public in recent months (check Have I been Pwned?) could have been prevented if a two-factor authentication system were in place. Even if attackers had managed to infect a computer and steal a password, they would not have been able to access the account associated with it, as they would not have had the access code.
Despite this, implementation of this security measure remains low.
What is the cost of implementing 2FA for a business?
Just like the many antivirus security solutions available, there is a lot on offer and something to suit all budgets. However, instead of thinking about the cost of implementing a 2FA solution, what we really need to think about is the cost of not implementing a 2FA solution.
It is well worth implementing these systems if you want to keep corporate information storage accounts safe. Two-factor authentication makes it difficult (but not impossible) for an unauthorized third-party to access all kinds of services, such as Outlook Web Access.
It is not necessary to implement 2FA for all accounts with admin rights, just those in which confidential information is stored, to avoid theft and also possible administrative fines. Keep in mind that this system, while not infallible, offers an additional layer of security that many criminals do not even try to get past. Therefore, a business that does not implement 2FA will be more likely to be attacked than one that does.
Regardless of the size of your business, two-factor authentication is a layer of security that should be considered, especially for shared resources and for employees who access their corporate networks remotely.
A well-implemented 2FA solution can also boost telecommuting and secure employee profiles while roaming, increasing productivity and minimizing risks.
by Josep Albors, ESET We Live Security