While security breaches at large enterprises and government agencies tend to grab headlines, small to midsize businesses (SMBs) are being targeted more frequently by cybercriminals. Smaller organizations typically don’t have the expertise or sophisticated security tools of larger companies and are often slow to upgrade their IT infrastructure. While enterprises are more lucrative targets, smaller companies are usually easier targets. However, the cost to SMBs is still high. The average cost of an attack is about $21,000, according to the Small Business Association (SBA).
During a recent panel discussion hosted by the SBA, security experts recommended that SMBs use multifactor authentication to better control access to the network, business data and applications, devices and other company assets. Multifactor authentication is a security measure that requires two or more independent credentials to verify the identity of the user. The idea is to create additional layers that make it more difficult for an attacker to gain access, even if one factor is compromised.
Authentication factors typically fall into three categories – something you know (user names, passwords, PIN numbers, answers to secret questions), something you have (key fobs, ID cards, SIM cards, one-time password tokens sent to an email address or smartphone) and something you are (biometric verification such as fingerprints, eye scans and voice recognition). GPS-based location tracking can also be a fourth authentication factor.
An example of multifactor authentication for logging into email involves adjusting security settings to require users to enter their mobile phone number. The user name and password is the first factor and the code sent via text to the mobile phone is the second factor. If a hacker steals your password, they wouldn’t be able to log in unless they have your mobile phone and PIN number.
The effectiveness of multifactor authentication in reducing security risks has led some industries and government agencies to make it a requirement. In fact, multifactor authentication is the biggest change in Payment Card Industry Data Security Standard (PCI DSS) 3.2, the newest standard for organizations that handle payment card information. Administrators will be required to use “at least two credentials” when PCI DSS 3.2 goes into effect later this year.
Multifactor authentication is also featured in the federal government’s Cybersecurity National Action Plan, which is intended to educate businesses and individuals about cyber threats and how to stop them. As part of the initiative, personal data used in online transactions between government and citizens will be protected with multifactor authentication to reduce the use of Social Security numbers as identifiers.
IT security experts at Technavio expect multifactor authentication to become standard procedure by 2020. Government, healthcare, retail and other heavily regulated industries are expected to lead this growth. However, a drop in prices for hardware that generates one-time password tokens has already led to increased SMB adoption, a trend that is expected to continue.
Obviously, there is no one-size-fits-all solution for multifactor authentication. Let Atlantic-IT.net, your outsourced IT department, explain the options and help you decide which approach makes the most sense for your organization.