Cybercrime is rife in 2022. Kaspersky released a new report revealing a growing number of cyberattacks on small businesses so far in 2022. Researchers compared the period between January and April 2022 to the same period in 2021, finding increases in the numbers of Trojan-PSW detections, internet attacks and attacks on Remote Desktop Protocol.
According to Kaspersky, in 2022, the number of Trojan-PSW (Password Stealing Ware) detections increased globally by almost a quarter compared to the same period in 2021 一 4,003,323 to 3,029,903. Trojan-PSW is a malware that steals passwords, along with other account information, which then allows attackers to gain access to the company network and steal sensitive information.
One stolen password is the most common cause of cybersecurity incidents, being attributed to allowing 61% of all security breaches and occurs in hundreds of companies each year.
These Incidents Are Preventable
Although these incidents are unfortunate, organizations are far from helpless when it comes to preventing unauthorized access from a stolen password and the data breaches that follow. All these incidents would have been prevented with the implementation of a basic security measure – multi-factor authentication (MFA).
This basic security measure adds a verification factor to the login requirements and prevents anyone but the authorized user from logging in. With MFA implemented, one stolen password is no longer enough to gain access to sensitive accounts.
MFA should be and is required in most large companies, the federal government, banks, law firms, and any other organizations handling sensitive information. If you don’t already, you should have MFA implemented at your firm as soon as possible to prevent the most common security breach.
Password Theft Is Common
Passwords can be stolen or guessed by a variety of means to gain unauthorized access to user accounts. A common tactic used is called credential stuffing, an automated attack where lists of stolen passwords from one breach are matched to potential usernames to attempt another breach.
As an example, T-Mobile was hacked in 2021 affecting approximately 50 million people in which their personal information, social security numbers, passwords, and other information was stolen. In just May, 2022, around 30 million people were affected when their personal information was released as a result of a MGM Resorts data hack. Many people reuse passwords despite recommendations not to, so those stolen email addresses and passwords are often reused to try to gain access to other accounts associated with that email address or individual, including firm networks and work email accounts. You can check if any of your accounts are one of the 11.4 billion known accounts with exposed information at haveibeenpwned.com. With these major breaches sometimes taking years to be known, this represents only a fraction of all accounts with exposed information.
Credential stuffing isn’t the only known tactic used by bad actors to steal passwords. Other methods include exploiting browser vulnerabilities to extract passwords, and phishing emails that trick individuals into revealing personal information or account credentials.
Passwords get stolen. It’s a reality of the world we live in. While we should still follow best practices for passwords, such as making strong passwords either through passphrases or ideally password managers, and not using them across accounts, we cannot rely on them as the only factor to authenticate users logging into our systems. We should operate under the assumption that our passwords or someone else’s passwords at the firm are or can be compromised.
MFA Prevents Unauthorized Access
If we can’t trust passwords to keep our accounts secure, what can we trust? The answer is to not allow your critical applications to simply trust that a user is who they say they are because they input the correct username and password. As we know, passwords can be compromised, and that login attempt could be coming from either an authorized or an unauthorized user. You want a way to verify whether a login attempt is coming from the authorized user. Multi-factor authentication does just that.
In addition to the single factor of a username and password that the user knows, MFA requires the user to verify themselves and confirm the login attempt by including another factor that is unique to something the user has or is. It takes seconds to complete and adds a necessary layer of security without unnecessarily inconveniencing users.
With MFA, the login process works looks like this:
- Enter username and password as normal.
- Verify identity using mobile device, telephone, or physical token.
- The system securely logs the user in.
You and your firm members have mobile devices. A verifying factor in the login process could be entering a numeric code generated on an app on your mobile device or accepting a push notification allowing the login. For individuals and firms that prefer not using mobile devices, a verifying factor could be accepting a telephone call or using a token that inserts into the computer. Most MFA solutions provide multiple options for the users to verify themselves.
Conclusion: Implement MFA As Soon As Possible
It’s abundantly clear that multi-factor authentication should be a priority to prevent common and preventable cybersecurity incidents. Colonial Pipeline knew this when they implemented MFA on some accounts, but they failed to implement it on all accounts and that resulted in the pipeline shutdown and a Congressional hearing. Most incidents are not as newsworthy, but still result in damaged reputations, ransoms paid, and documents leaked.
Attempts at cybercrime like breaches and ransomware won’t stop, and bad actors will continue to exploit the low hanging fruit of stolen passwords. MFA is a simple, highly effective, standard security measure across all industries to ensure those attempts fail.
Reach out to your IT department, cloud hosting platform, or MSP today to implement MFA. One stolen password should not be enough to gain access to your firm’s email accounts and sensitive client information.