As year the rolls on closer to September, and as we approach the Presidential Elections in a just a matter of couple of months, one thing is for certain:  The Remote Workforce is going to be around with us for quite some time, and as it is predicted, it could even go on well into next year and even beyond. 

With this in mind, companies are fast scrambling up with ways as to how they can mesh their business network with that of the home networks of the WFH employees, and especially how to keep any confidential information and data safe while it is in transit across the network mediums.

This all comes down to one common theme:  Authenticating the employee and making sure that they really are whom they claim to be.  Of course, the password has always been the long favorite here, but time has only shown how weak and vulnerable it can actually be. 

So, companies have been stepping up their game to use Two Factor Authentication (2FA), in which two layers of authentication are required, such as the password and some sort of other identifier (such as a challenge/response question).

But even here, 2FA is showing signs of weakness.  So naturally enough, the next level up from here is to use what is known as Multifactor Authentication (MFA), where at least three or even more layers of authentication are implemented.  So far, this seems to be working well in Corporate America, according to a recent study that was conducted by LastPass. 

In it, they found that 57% of the respondents polled are using some sort of MFA, which represents a 12% Year Over Year (YoY) growth rate.  There were some 47,000 businesses that were polled in this survey, and details of it can be found here:

In fact, Microsoft even discovered in their own research that that almost 100% of those businesses that have been breached did not even use MFA.  More details of that can be seen below at this link:

https://www.zdnet.com/article/microsoft-99-9-of-compromised-accounts-did-not-use-multi-factor-authentication/

But despite its advantages, many businesses still are hesitant to deploy MFA.  Why you may be asking?  Well, it comes down to a number of issues, such as:

*The challenges of not deploying it correctly;

*Getting employee buy in so that they will actually use it;

*The perception that it is a hassle to use because of so many different types of credentials that have to be provided.

But whether employees like it or not, you being the business owner, have to implement some sort of strong safeguards so that your digital assets are firmly protected.  So, what are some of the ways in which you can make the use of MFA effective in order to accomplish this goal?  Here are some quick tips that you can easily implement:

*Make MFA mandatory:

In order to keep employees happy, many business managers try to offer employees an alternative if they don’t like the new option that is being implemented.  While this may work for certain kinds of scenarios, it won’t work for authentication.  Either you go all the way with MFA, or you don’t.  Employees don’t have a choice here.  In other words, make MFA mandatory across all levels in your organizations, and don’t look back at your decision. 

*Take the pain out of using MFA:

People have a hard-enough time trying to remember all of their passwords, and this can be compounded even further if they have to remember other sorts of credentials.  In other words, MFA shouldn’t add to the fatigue of an already stressed out IT Security team, it should not only help ease their workload.  In other words, it should not add to what is known as “Alert Fatigue”.  One way around this is to offer multiple ways to confirm identity based on just one type of credential.  For example, an employee can confirm their identity with using a combination of long and complex passwords that are difficult to break.  Of course, they cannot remember all of these, so make use of a Password Manager to help out in this regard.  Remember with MFA, you necessarily do not have to use different kinds of credentials.  You can use variations of the same type (such as that in the example of the password), as long as they are difficult to manipulate and figure out.

*Be consistent with your enforcement:

The thinking in Cybersecurity is that only the most critical digital assets should be protected to the highest levels possible. While this is true, in the end, all of your assets are important to your business.  For example, if there is one that does not have as much protection, that could still be a way in for the Cyberattacker to get into and get access to the most critical assets.  So, instead of deploying MFA for just one area of your business, apply it to all areas, and to all employees in this regard.  Keep your enforcement policies with MFA all across the board.

*Don’t just rely upon sending out SMS messages:

Today, it is quite often for a business (especially those that have online merchant stores) to send out a text message with some random numerical code in order to further confirm the identity of an employee, it should not be the only mechanism that is used.  There are two reasons for this:  Mobile Phishing and SIM swapping.  With the latter, this is when the Cyberattacker can actually con the wireless carrier into transferring the phone number of a legitimate number to their own SIM card.  More information about this can be seen at this link:

https://www.darkreading.com/theedge/sim-swapping-attacks-what-they-are-and-how-to-stop-them/b/d-id/1336662

Cyber experts instead recommend using what is known as an Authenticator Mobile App to help mitigate any risks that are posed by sending out SMS messages.

*Don’t delay in MFA:

The common reaction in Corporate America seems to be to act only when something has happened.  But don’t take this mindset.  Deploy MFA as soon as you can, so that you can greatly the mitigate the chances of being breached in the first place.

My Thoughts On This:

Here are some other tips to keep in mind as you ramp up your MFA deployment:

*Always first test in a sandboxed environment.  Meaning, what ever new layers of authentication you are planning to implement, test it out first in a controlled environment.  This will make sure that your new MFA solution will be interoperable with the other processes and flows that currently exist within your business.

*Roll out your MFA solution in phases, don’t throw it out there all at once.  People need time to figure out the new normal that is about to happen onto them, and plus, taking a more cautious approach will allow you and your IT Security team to work out any other unforeseen kinks that could come out.

*Always communicate to your employees what is being planned, and when it will be rolled out.  In the end, nobody likes surprises, especially employees, given the times that we are in today.  Above all provide training to your employees into the MFA solution.  If you want them to be properly authenticated, they have to learn how to use the tools from the get-go.  And, being the business owner, this is your job to be fulfilled.  Answer any and all questions, as well as fears and concerns. 

It is important to keep in mind that making use of MFA implies some level of trust that is there with your employees.  Meaning, you are not assuming that they are a Cyberattacker, you have some kind of faith in them, but that you just want to further authenticate their identity so that you have confidence that your digital asset will be safe.

But there is an extreme version of the MFA methodology, and that is known as the Zero Trust Framework, in which absolutely nobody is trusted until their identity is fully confirmed.  But there is a lot that goes to this and will be the focal point of another blog.  In the meantime, start to get the plans going for your MFA solution!!!