The ransomware attack on Colonial Pipeline in May 2021 showed just how widespread the impact of this type of attack can be.
Ransomware will typically bring a company to a standstill because it can spread rapidly through servers, cloud environments and devices. In the case of Colonial Pipeline, the attack on their systems led to a six-day shut down that resulted in a loss of millions on top of the $4.4 million it paid in ransom.
Beyond the organization itself, that particular ransomware attack caused vast shortages of gasoline across the East Coast and pushed the price of a gallon of gas up past the $3.00 per gallon mark nationwide. That kind of spike had not been seen since 2014.
One of the most astonishing aspects of the attack was that so much damage could be done from a seemingly simple lack of best practices.
In testimony to Congress, the head of Colonial Pipeline stated that the attack originated through an unused VPN account that was not protected by multi-factor authentication (MFA).
If that one simple best practice had been in place, the ransomware incident and the aftermath could have been avoided.
According to the Sophos 2021 Threat Report, “a lack of attention to one or more aspects of basic security hygiene” was found to be the root cause of several of the most damaging cyberattacks it has investigated.
Why MFA is So Important to Cybersecurity
Multi-factor authentication is a simple concept in access control. You require an additional factor of authentication from a user to grant access to a website, company network, software or cloud application.
There are three standard forms of authentication recognized for technology access:
- What you know: Your username/password
- What you have: A device that receives a login authentication code
- What you are: Biometrics like face or fingerprint scanning
If MFA is not enabled, accounts are being protected by just one factor of authentication (the “what you know”). All a hacker needs to do is get that information (e.g. steal a password) and they can log into the account as that user.
62% of small and mid-sized businesses do not use MFA.
Unfortunately, it is all too easy for this to happen. Attackers get user passwords through:
- Phishing emails
- Fake login forms
- Using software to hack weak passwords
- Purchase of user credentials on the Dark Web from large-scale data breaches
When MFA is enabled, it adds a second factor of security. This factor is generally the “what you have”. This causes a time-sensitive code to be sent to a physical device in possession of the user which then needs to be entered to complete the login.
In most cases, the attacker won’t have that physical device so they can’t log in. This is what makes MFA so effective.
How Effective Is MFA?
According to Microsoft (which sees approximately 300 million fraudulent cloud sign-in attempts daily) MFA is 99.9% effective at blocking those attacks.
This makes it a must have for companies to use on all cloud applications and website accounts because often using strong passwords just isn’t enough.
Data breaches of large customer databases happen all too often. So, your credentials can be for sale on the Dark Web even though you use strong passwords. The following large organizations have had user information stolen in breaches this year:
- Morgan Stanley
- Mercedes-Benz
- CVS
- Peloton
- JPMorgan Chase Bank
- Geico
Forms of MFA to Choose From
When setting up multi-factor authentication for your business, there are typically three main options to choose from. Each option involves a slightly different way of receiving the code and can have a different level of security.
SMS/Text
The most common way to set up MFA is by having the code sent to a mobile number via text message. This is the way that is easiest for most people to use because they don’t need to learn another app.
This method is slightly less secure than the other two methods because hackers can clone a SIM card through malware. That would give them the ability to receive the text messages that are going to that number.
MFA App
The second most common method is to use an MFA application on your device such as Google Authenticator. You are still receiving the code on your mobile device but it is coming through a specific application rather than via SMS.
Security Key
The most secure method of receiving the MFA code is via a security key that is purchased from a company like Thetis or Yubico. These keys need to be kept track of by employees and are typically the size of a small USB device.
The key is plugged into a computer or mobile device to authenticate the MFA. This is a slightly less convenient method and companies do need to purchase the keys.
Find Great Access Security Solutions from Sound Computers
Sound Computers can help your Connecticut business implement Multi-Factor Authentication in a way that secures your accounts without inconveniencing your employees.
Contact us today to schedule a free consultation. Call 860-577-8060 or reach us online.