As IT technologies and trends evolve, the threat landscape that SMBs face evolve right along with them.
Businesses no longer have to be specifically targeted by attackers in order to fall victim of an attack. Whilst individual targeted attacks are still a very real threat to certain businesses and sectors, no business should assume it is safe or ‘hidden’ from attack because it’s too small, holds no sensitive information, or has a low turnover. Attacks are automated- systematically scanning the internet for attached devices with vulnerabilities, to exploit without prejudice or will.
With the best will in the world, it is virtually impossible for a business to keep hidden all the information that could lead to an attack, or that could provide an entry point into internal systems. A great way to avoid cold callers and telephone scammers is to not publish your telephone number right? Just give the number to the specific people you want to call you. Perfect- except now any new customers can’t get in touch with you, which doesn’t make for great business.
The same goes for email, except unlike telephone numbers it’s relatively easy to guess an email address of an individual within a company, especially if your business has got a website. Attackers know that an email address can also be a username, especially for the email account itself. Now all that’s needed is the password, which can be ‘brute-forced’ and just like that, your business has been compromised.
What’s worse, often this is invisible to the employee or business who may never know that an attempt was to break in, successfully or not.
It’s not just an attack on your own business you need to protect against either. Credentials stolen in other attacks against other entities could be used to gain or attempt to gain access to your business or data assets.
So what are the options? An online presence and available, contactable staff are essential for a business these days- going ‘ex-directory’ is not an option.
Adding an extra layer of security where your business is most vulnerable will help protect your business from such threats, and will also raise the alarm if an unauthorised or unexpected attempt is made to access your sensitive resources.
Multi-Factor Authentication (or MFA for short) is that extra layer of security. Instead of relying on just a username, password, or PIN to protect your business, implementing MFA wherever your business is exposed to the internet will require an extra method of authentication, before access is granted.
The extra layer of security you get with Multi-Factor Authentication is based around the simple concept of requiring multiple ‘factors’ to confirm that anyone attempting to access your business, is actually who they say they are. The theory goes, that if you can provide at least two of the following factors when accessing your email for example, there’s a good chance it is actually you who is trying to gain access:
- Something you are – biometrics, so a fingerprint or retina scan for example
- Something you have – a security token, a mobile phone or other such device, or a keycard
- Something you know – a password or a PIN
Requiring two of the above factors is most common, and is usually referred to as Two-Factor Authentication (2FA). The key concept here is that even though a password can be stolen or guessed, or a keycard or mobile phone can be stolen or found- the chances of both of these occurring at the same time are highly unlikely. This isn’t a new concept- think of withdrawing money from a cash machine, you need a cash card (something you have) and a PIN (something you know).
With this thinking, it’s clear to see how just relying on a username and password is not enough (both of these are things you know) to protect your business.
So where should you look to deploy MFA? The quick answer is EVERYWHERE. Or more specifically, everywhere that your business assets are accessible remotely. So do you allow remote working? Remote Desktop or VPN connections should be protected with MFA. Do you use Office 365 or Outlook 365 for email? This can be protected with MFA too. If any part of your business can be accessed from outside of your premises, then you should look to deploy MFA to make this more secure.
The good news is that the application or service your business uses probably can already accommodate MFA, and you can turn it on with a click or two.
How you choose to implement MFA however, which factors and devices you choose to authenticate access into your business will depend on what you are aiming to protect. This will require careful consideration to make sure your choices don’t unintentionally undermine the extra layer of security MFA is intended to bring.
Take a mobile phone for instance, which can in fact be both an endpoint (a device used to access sensitive business data- email most typically) and an authentication device via authenticator apps, or text passcodes or similar. This is a convenient and potentially cheaper way of allowing users to authenticate as opposed a separate physical token or smart card, but how can you ensure the multiple layers of protection on a single device? Although Face ID or fingerprint ID is a great, and relatively secure way to protect a device and an app on that device- if you are relying on one ‘factor’ to gain access to both then that is a risk- albeit arguably small, and negated to some extent in the case of biometrics- that you must identify and accept as a business.
This is where a degree of control over the devices used to access your data is useful- being able to mandate screen locks and authentication to access the device itself is key. Mobile Device Management (MDM) solutions are designed for use in this scenario, but can be expensive to operate in terms of licensing and also time and effort to manage. With everything security-related, finding that sweet spot between cost, security and usability is the hardest challenge facing a business. You could eliminate the issue altogether by not allowing remote access to business data- but what impact would that loss of productivity have for your business or your workers if they can’t read and send emails from the train or work from home or a client’s office for example?
Essentially what security always boils down to is a balancing act between risk and cost. A security consultant can help you evaluate the risk, but you will need to decide what risks are worth accepting and what must be acted upon to protect your business. Understanding where it is exposed is the first step for a business to begin shoring up the security to help deter and deflect attacks, whether targeted, opportunistic or accidental.