There have been some evolutions in IT security vulnerabilities over the last decade as the cloud has largely replaced on-site file storage and software. This shift in how companies handle technology and where they store their files has led to a significant increase in credential theft. Look at it from a hacker’s point of view. They’re now up against the server security of companies like Google, Microsoft, and others. In other words, companies that spend millions to secure their server environments and even have physical security staff on-site 24/7. Thus, hacking into a cloud server from the outside is much more difficult than getting into one in a small business office, that doesn’t have nearly the same level of protection.
So, with hacking becoming more difficult, the next opportunity to get in is through the inside. To clarify, by gaining access to a username and password that the system sees as legitimate, a hacker can get in without having to get past firewalls and other high-end security. Additionally, according to Verizon’s 2020 Data Breach Investigations Report (DBIR), stealing passwords is now at the top of the priority list for those perpetrating cyberattacks. The report found that:
- Stealing login credentials has become the #1 goal for phishing attacks.
- Password dumpers are now the top malware used in data breaches.
- 77% of cloud account data breaches are due to stolen or hacked login credentials.
Users & Companies Make It Easy for Hackers
Because of many of the bad password habits that users and companies adopt, breaching company accounts has become too easy. That is to say, a company’s entire cloud storage holding all their data cloud be protected by only a weak password like “123456.” Here are some alarming findings from Yubico’s report on password security:
- 59% of companies are relying on human memory to manage passwords.
- 39% of employees reuse their passwords across different work accounts.
- 51% of employees share their passwords with colleagues.
- 54% of companies don’t require the use of multi-factor authentication.
Additionally, passwords can become compromised in a few different ways, not all of them under a company’s control. These include:
- Use of a weak password that’s easily guessed by a hacker (they have a list!)
- Database breach of a vendor that you use a username/password with
- Breach of your server or database of user logins
- Hacked password using a cracking tool
Why You Should Enable MFA for All Your Accounts
When you only have a username and password protecting your business accounts and stored data, it’s only a matter of time before the least strong password is compromised. For example, one tool that can prevent nearly all fraudulent sign-in attempts is multi-factor authentication. To clarify, this is the use of a second method of authentication to access an account. Methods of authentication include:
- What you know: Your username/password (#1 method used)
- What you have: A device that can receive a login code
- Who you are: Retina or fingerprint scanning
Because biometrics like fingerprint scanning isn’t very accessible to use for all your account logins, most MFA will use the “what you have” method as the second form of authentication. An MFA code can be sent to the user in three ways:
- As a text message to a registered mobile device
- Through an on-device prompt of an authentication app
- Through a physical security key that you plug into your PC, tablet, or smartphone
It’s highly unlikely that a hacker would have the physical device that receives the MFA code. Therefore, enabling multi-factor authentication is a very successful method of preventing account takeover and breached data.
How Effective is MFA?
There are two study references from major cloud vendors that illustrate how important MFA is for keeping your passwords from being compromised.
- Microsoft: A study noted by Microsoft found that implementing MFA was successful at blocking 99.9% of fraudulent sign-in attempts.
- Google: A study noted by Google found MFA to be between 76% to 100% effective at blocking account hacks. There’s a range because it depends upon the method used.
Why the slight difference? Because an interesting component of the Google study was that it looked at different attack methods and different ways that users can receive the MFA code. That is to say, the study researched automated bot attacks, bulk phishing attacks, and targeted attacks. It also cross-referenced whether users received the MFA code by SMS, on-device prompt, or a security key. The security key was found to be the most secure, the on-device prompt was second, and the SMS was third (most likely due to the ability of hackers to clone a SIM card and receive user texts).
Implement Multi-Factor Authentication Without Impacting Productivity
Copperband Technologies can help your southern Kentucky or Middle Tennessee business implement MFA in a way that doesn’t impact your users or negatively impact productivity. Contact us today to schedule a consultation! Call 931.263.8000 or email us.