EU Cyber Security Month: learn how multi-factor authentication can protect your company’s most valuable assets

The EU Cyber Security Month (“ECSM”) is the EU’s annual awareness campaign that takes place every October across Europe. Through this initiative, European institutions aim to raise awareness about cybersecurity threats, promote mitigation action and share good practice.

CMS Belgium fully supports this campaign. We are a proud partner of the Centre for Cyber Security and Cyber Security Coalition for Belgium’s national campaign on multi-factor authentication this year.

The ECSM represents a good opportunity to practise cyber hygiene with your employees. This article explains why using multi-factor authentication as part of your security strategy is one of the easiest ways to secure your employees’ accounts and your IT systems.

Easy to hack and steal, passwords have become passé in the security world. It’s time to upgrade. Two-factor authentication (“2FA”) is an extra step to verify the identity of your employees (users) for login, even if they have a password that was compromised in a breach or otherwise. 2FA keeps your IT environment safe and prevents (costly) cyberattacks.

Working from home (“WFH”) has made it necessary for IT teams to protect their company’s data. It is indeed easier to hack a remote user than someone sitting inside your corporate environment. A cybercrime pandemic is happening behind the scenes during the Covid-19 pandemic, with ransomware attacks soaring since April. We have some cybersecurity tips for WFH that will help secure your business.

What is 2FA?

There are three classic authentication factors, often referred to as “something you know” (e.g. passwords, password phrases or personal identification number (PIN)), “something you have” (e.g. smartcard, token device, smartphone) and “something you are” (e.g. fingerprints or voice recognition).

As the name suggests, 2FA requires two methods (authentication factors) to verify that the users trying to access your IT systems are who they say they are. It may be a PIN code (something you know) and an iris scan (something you are), or a face scan (something you are) followed by the entry of a code from a security token (something you have). Since passwords are traditionally used for online services, they tend to be one of the factors still required in 2FA systems for these services. Therefore, a 2FA system combining a password with another factor makes it difficult for hackers to access your IT environment because they will be missing at least one piece of the puzzle.

Why does 2FA matter?

The authentication technique that is currently most often used is passwords. It is however a weak security mechanism considering that hackers detect passwords through many means (e.g. brute-force attacks can quickly uncover weak passwords). Employees often share their passwords, or forget them; don’t understand the need for strong passwords; choose passwords that are easy to remember (e.g. dictionary words, family member’s name, a pet’s name) and therefore easy to guess or crack; or sometimes write them down.

The main goal of 2FA is to protect the user account even when the password is compromised: even if hackers can guess the password, they will not be able to access the account, or your IT systems. Indeed, one of the biggest security threats today is the risk of compromised or stolen credentials. Once a cybercriminal gets his/her hands on a set of corporate credentials, he/she can then use stolen but legitimate login details. A credential stuffing attack then becomes the entry point for a much larger venture, such as data theft, ransomware attacks or system hijacking.

According to Microsoft, multi-factor authentication (“MFA”) can block over 99.9% of account compromise attacks. It is important to note that 81% of breaches are caused by credential theft, 73% of passwords are duplicates and 50% of employees use unapproved apps.

How does 2FA work?

It doesn’t take long to put 2FA in place and there are a variety of 2FA systems in use. The feature common to most of them is that a one-time use code is generated or sent to an authentication device (e.g. your smartphone) so that you can enter it with your password, allowing you to access your account.

Other methods used by popular online services include sending an SMS with an authentication code or generating authentication codes that are only valid for a limited period of time. An authentication app (such as Duo Mobile) is also a good option for 2FA. Unless hackers get access to your smartphone as well your email address and password, they won’t be able to log in.

The important thing about MFA is that your company chooses an option that suits its security goals and is easy to include in your employees’ routine. Good security measures that your employees don’t use won’t protect your company.

WFH: are you securing your VPN set-up with 2FA?

WFH, though convenient, can leave your company vulnerable to security risks. This not only puts your personal data in danger but could also result in sensitive company data being compromised.

Virtual private networks (“VPNs”) allow your remote users to securely access your organisation's IT environment, such as your ERP system. Although VPNs are generally regarded as a layer of security, they are not bulletproof. VPN set-up is only convenient if it’s secure (e.g. fully patched). 2FA can reinforce your VPN by requiring users to supply an additional form of authentication, making it more difficult for hackers to infiltrate your network. 2FA will decrease the risk posed by a compromise of sensitive login information, and VPNs will provide secure access for your employees wherever they are working, greater access control and stronger network access overall.

Cybersecurity tips and tricks

WFH will be the norm for the foreseeable future. To make WFH more secure for your company, we have compiled some cybersecurity tips that will help secure your business:

• Don’t depend on single-factor authentication. To protect your IT systems, accounts and applications, use a VPN with 2FA.
• Make sure your staff regularly update their devices and programs (updates often include patches for security vulnerabilities that have been uncovered since the last iteration of the software was released).
• Back up your data regularly (e.g. in case staff are victims of a ransomware attack).
• Ensure that your antivirus software and firewalls are in place and fully updated.
• Review (or create) policies to ensure they meet remote work needs (e.g. a policy that addresses employee adherence to data privacy, security and confidentiality; procedures to follow in the event of a security incident) or consider producing a series of “How do I?” guides.
• Build a remote workforce serving as a necessary business tool and contingency buffer in the event of business disruption.
• Simulate an attack, and monitor how your staff respond.
• Make your staff risk-aware by providing them with cybersecurity training.
• Make sure staff know how and where to report problems. This is especially important for security issues. Provide initial and then regular feedback to staff on how to react in case of problems. That means information on who to call, hours of service and emergency procedures.
• Stay safe and healthy.

For more information on cybersecurity, please contact your usual CMS advisor. Did you know our tech & data practice is recognised as tier 1 (best-in-class) by Chambers and Legal 500?