This article is the second in a series of articles about Cybersecurity Awareness Month. Throughout October, K2 Integrity will be providing tips and solutions to organizations to commemorate the 20-year anniversary of the initiative. This year's focus is on creating strong passwords and using a password manager, enabling multi-factor authentication, updating software, and recognizing and reporting phishing attempts.

This second article highlights multi-factor authentication (MFA) and its role in keeping organizations, their clients, and their employees secure.

Securing Digital Assets with a Second Layer of Protection

As technology advances and an increasing amount of vital information is held in the cloud, it's important for organizations to educate employees that digital security is integral to corporate security. Financial data and confidential client information are just some of what can be compromised if your system falls into the wrong hands. Two layers of account security—a long, unique password combined with multi-factor authentication (MFA)—help make a potential compromise more difficult by increasing barriers to unauthorized network access. How can an organization facilitate this boost to online security?

  • Implement MFA authentication for network access. MFA requires a user to provide two or more methods of identification in order to validate their identity for a login or transaction. Enabling this additional layer of verification can protect employee accounts and help thwart takeover attempts.
  • Use an authenticator app as a best practice. Although MFA reduces the risk of a network compromise, relying on a phone call or text as additional authentication is risky. If criminals gain control of an employee's mobile phone account, such as through a SIM swap, phone call- and text-based prompts will route to the criminal. In contrast, apps are linked to the mobile device and not the account's phone number, so app-based prompts will continue to be routed to the original device. Encourage employees to also use authenticator apps for personal accounts.
  • Train employees how to respond to unexpected MFA requests. Criminals use passwords stolen through phishing attacks, the dark web, or even an internet search to try to breach accounts. If they enter the network password into the organization's sign-in page, the MFA prompt will appear on the employee's mobile device. By denying the request, the employee prevents the criminal from progressing. Employees should be instructed to report unexpected MFA requests and to promptly change their network password to thwart further attempts.
  • Educate employees about the dangers of multi-factor fatigue. MFA fatigue occurs when criminals use a stolen password to sign into the network multiple times, sending repeated MFA prompts to the employee's authentication app. The criminals hope that the employee will tap "Approve" accidentally or through frustration from repetitive prompts. Employees should also be required to report such attempts.

Implementing MFA for corporate accounts—in conjunction with strong passwords—adds a second layer of security and can help prevent data breaches. Organizations can reap security rewards with this addition to their business practices.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.