Cybersecurity Awareness Month was established more than 20 years ago to provide resources to enable organizations and their employees to stay safer and more secure online. It is an opportunity to focus on four key behaviors that will help everyone stay secure throughout the year:
- Creating strong passwords and using a password manager
- Enabling multi-factor authentication
- Updating software
- Recognizing and reporting phishing attempts
Each of these key behaviors are necessary to help keep organizations, their clients, and their employees secure.
Securing Digital Assets with a Second Layer of Protection
As the number of online accounts and their vital information is increasingly held in the cloud, it’s important for organizations to educate employees that digital security is integral to corporate security. Financial data and confidential client information are just two elements that can be compromised if any corporate account is accessed by a cyber criminal. Two layers of account security—a long, unique password combined with multi-factor authentication (MFA)—help make a potential compromise more difficult by increasing barriers to unauthorized network access. How can organizations facilitate this boost to online security?
- Implement MFA authentication for network access. MFA requires a user to provide two or more methods of identification in order to validate their identity at login. Enabling this additional layer of verification helps protect employee accounts and thwart takeover attempts.
- Use an authenticator app as a best practice. Although MFA in itself reduces the risk of a network compromise, relying on a phone call or text as additional authentication is risky. If criminals gain control of an employee’s mobile phone account, such as through a SIM swap, phone call- and text-based prompts will route to the criminal as the new “owner” of the account and phone number. In contrast, apps are linked to the mobile device and not the account’s phone number, so app-based prompts will continue to be routed to the original device—even if criminals control the account. Encourage employees to also use authenticator apps for personal accounts.
- Train employees how to respond to unexpected MFA requests. Criminals use passwords stolen through phishing attacks, the dark web, or even an internet search to try to breach accounts. If they enter the network password into the organization’s sign-in page, the MFA prompt will appear on the employee’s mobile device. By denying the request, the employee prevents the crime from progressing. Employees should be instructed to deny unexpected MFA requests, report them immediately, and promptly change their network password to block further attempts.
- Educate employees about the dangers of multi-factor fatigue. MFA fatigue occurs when criminals use a stolen password to sign into the network repeatedly, sending numerous MFA prompts to the employee’s authentication app. The criminals hope that the employee will tap “Approve” accidentally or through frustration from repetitive prompts. Employees should be required to report such attempts.
Implementing MFA for corporate accounts—in conjunction with strong passwords—adds a second layer of security and can help prevent data breaches. Organizations can reap security rewards with this addition to their information security practices.
