Is MFA the first step to boosting remote working cybersecurity?

As much as you might trust them, staking your business on employees' credentials is a poor security decision. MFA should be high on the priority list.
8 April 2020

As CIOs continue to tackle the migration of the workforce towards remote working (or ‘telework’, as the World Economic Forum now calls it), they also face a gaping cybersecurity threat.

Cybercriminals are organized and opportunistic; with businesses still scrambling to adapt, they are ready to capitalize on the crisis, leveraging the psychological distraction of the COVID-19 outbreak, mass migration to new tools, weaker cybersecurity thanks home wifi networks and personal devices and, as usual, and human error.

One of the simplest measures IT heads can take is to ensure multi-factor authentication (MFA) is now in place. With workers scattered across various locales and networks, putting this measure in action, for anyone needing to access company data, means that a business’s security isn’t in the hands of a single employee and their login credentials.

Put simply, MFA means authenticating access requires verification via something else, beyond just a password, which makes it exponentially more difficult for cybercriminals to access accounts and data.

There are a number of approaches businesses can take to implement MFA to suit their business needs and company size. Investing in a USB key MFA device, for example, might be viable for a small sector of the business, but could cost thousands if equipping everyone in a 1,000-strong enterprise with one. In certain cases, a simple smartphone-based system could suffice.

Physical token

As mentioned, a physical token refers to a piece of hardware like a key fob or USB key, which can be used to generate a highly-secure, randomly generated password that’s essentially impossible to brute-force.

Yubikey is perhaps the most ubiquitous example of this, but there are others, most of which are widely supported if logging into corporate office tech, online applications, and other cloud applications. The normal login will ask for a password, but also the code generated by the device.

The only real hang-up is their cost, and their potential to be lost down the back of the sofa.

Mobile phone

Everyone has a smartphone in arm’s reach now, and most people will be familiar with using it as an MFA device having logged into an online bank account, for example, or from accessing their Gmail account on a new device.

Especially handy for organizations which distribute smartphones to their workers, apps can be downloaded like Authy, Google Authenticator, or ESET Secure Authentication.

Before downloading any of these, it’s worth checking the product for any history of breaches. It’s also worth bearing in mind that smartphones can be hacked as well, and SMS spam messages can be sent in efforts to trick users to verify a false access request.

Biometrics

It may sound like one of the most advanced options, but biometrics security methods are now built into consumer products like Apple’s MacBook and iPhone, and given how difficult it is to fake a fingerprint, for one, biometrics can be one of the most secure MFA methods available.

The biggest hurdle any organization may face in deploying this approach could be data privacy, with many individuals reticent to provide data like fingerprints or images of their face to cloud databases which are vulnerable in their own right, especially in light of the breach of ClearView earlier this year.

Implementing MFA protection could be one of the most critical steps to securing key services and minimizing exposure, in a time when organizations need all the protection they can get.

Enabling MFA for the company’s cloud infrastructure could be a good place to start, as the most common cloud enterprise cloud service providers already feature heavy integration with multi-factor authentication ability. This is the easiest and quickest solution to ramping up an organization’s cybersecurity strength. Then the business can ensure all integrated software has been updated to a version that can support MFA.

In order to prioritize which matters, each organization will need to evaluate their own infrastructure and identify which is most vulnerable, in order of priority.

For companies that already have VPNs and other remote gateway accesses, these gateways should be immediately secured with MFA, if they are not client-facing or SaaS solutions.

Weak authentication protocols might be leaving your remote workers exposed to phishing attempts and other cyber threats. But setting up MFA at a central authentication point such as your cloud service provider is the fastest, most wide-ranging solution that you could do today, if necessary.