Tech UK spoke to our Marketing & Innovation Director, Adrian Odds, about multi-factor authentication, in an article first published on Tech UK on 11/10/22.
Two recent high-profile breaches over the past two months remind us of an unfortunate truth: true cyber resilience means preparing for attackers to eventually find a way in.
In both breaches, attackers acquired not only ordinary employee login credentials, but also the multi-factor authentication credentials meant to protect against the former theft. Their method for doing so? Old-fashioned persistence — specifically, repeated requests to one or more employees until someone finally gave in.
This isn’t to criticise any of the breached organisations, who clearly take security seriously. Widespread MFA implementation is no small feat. Completing that step puts the organisations far ahead of most industries’ cybersecurity curve.
Rather, these breaches send a clear message to organisations who treat Multi-Factor Authentication (MFA) — or any other single security step — as a shortcut or stand-in for broader cyber resilience. Modern attackers are numerous and persistent enough that broader technological and cultural changes are needed in order to stop the attackers that inevitably make it past the network perimeter.
Reducing confusion — and making resilience more concrete
In my experience, organisations don’t tend to settle on cyber resilience shortcuts out of laziness. Rather, the impulse often comes from confusion about what it actually takes to be able to minimise and mitigate attacks that have already partially succeeded. The ongoing conversation around Zero Trust security is an excellent example — the average organisation hears so many different interpretations and pitches about Zero Trust that it’s difficult to tell which strategies actually fall under the umbrella.
The precise answer to that confusion will vary by organisation and industry. But in talking with clients and partners about cyber resiliency, I’ve seen some patterns emerge. Here are examples for the attack types related to the aforementioned breaches:Again, these steps apply primarily to phishing-based MFA compromise breaches mentioned previously — but other resources can present a broader picture.
Learn more about Cloudflare's Zero Trust solution
The right culture supports resilience
Implementing such capabilities takes time. In the meantime, a strong organisational security culture can help fill the gaps.
Education, and encouraging teams to over-report potential threats are important steps. It’s equally important to remove stigma and negative consequences for successful attacks. In a blog post covering their successful response to a phishing attack, our partner Cloudflare uses the term “paranoid but blame-free” to describe this approach. When three Cloudflare employees correctly suspected they’d fallen for phishing, they alerted the security team immediately, knowing they would not be punished. As a result, the team was able to block the phishing site three minutes after the attack began and reset the leaked credentials shortly afterward.
This combination of alertness and consequence-free reporting can go a long way towards the ultimate goal of cyber resilience — making employees at every level of an organisation feel invested in better security.