Due to the rapid rate of digitalization catalyzed by the COVID-19 pandemic, cyber-attacks have become ubiquitous, presenting opportunities to improve cybersecurity practices for small and medium-sized enterprises (SMEs). SMEs contribute up to 40 percent of the gross domestic product in emerging economies, make up 90 percent of all businesses, and provide more than 50 percent of employment worldwide, making them significant economic drivers and digital supply chain actors. They also endure unprecedented malicious cyber activity, such as ransomware, phishing, password targeting, and advanced persistent threat attacks. In Nigeria, cyber attacks against SMEs have increased by 89 percent, in 2022 alone, and in India, more than 60 percent of all SMEs experienced attacks last year.
Many stakeholders claim that a single measure can significantly reduce hackers’ ability to infiltrate individual or organizational systems. So much so, that the United States Cybersecurity and Infrastructure Security Agency (CISA) has been running a public awareness campaign since June to encourage its adoption, claiming it can reduce 99 percent of cyber incidents. This measure is multi-factor authentication (MFA), sometimes referred to as two-factor authentication or 2FA. MFA, a cornerstone of the Zero Trust cybersecurity stance, is an electronic authentication method that protects applications by using second source validation before granting access to users.
Despite widespread promotion of this security measure, recent hacks exploiting MFA-enabled accounts and inherent technical issues with adoption, imply that MFA is not infallible in guaranteeing organizational security. While MFA is foundational to boosting SME defenses, a holistic and consistent approach to implementing, maintaining, and evolving cybersecurity measures will strengthen the protective impact of MFA by prioritizing other controls and processes—and building a strong cybersecurity culture along the way.
Photo: Ed Hardie/Unsplash.
Benefits and Limitations of MFA
MFA comes in various forms. Most likely, the app you use to log into emails, bank accounts, or social media platforms has an option to turn on MFA to increase your protection. The most common type of authentication involves sending a user a code via text message or email to verify their identity. Advanced forms of MFA also incorporate biometric authentication mechanisms such as fingerprints, face scans, or voice recognition. These additional steps make it difficult for hackers to steal or crack traditional passwords and prevent unauthorized access to accounts containing sensitive data.
National and international organizations rightly provide guidance to incentivize MFA among individuals and organizations. CISA kicked off a “More Than a Password” social media campaign in June, with a landing page to learn about MFA and explore resources to enable the security measure. Likewise, the National Institute of Standards and Technology (NIST) advises all organizations to use MFA whenever possible. NIST’s Digital Identity Guidelines establish different categories of MFA controls to delineate between various levels of identity assurance. In Europe, international directives such as the European Union’s landmark General Data Protection Regulation (GDPR) or the revised Payment Services Directive (PSD2) represent essential factors in increasing the popularity of MFA methods. Both directives have had a significant impact on the security awareness of companies and individual users to protect themselves against the consequences of breaking the GDPR. Electronic-banking customers in the European Union also use two-factor solid authentication as one of the requirements of PSD2 directive.
With these advances in MFA-enabled accounts, bad actors have naturally evolved their attempts to evade and exploit MFA through phishing and social engineering attacks. Most recently, in a text-message phishing campaign named “Scatter Swine,” attackers hacked texting software that sends one-time passwords to access to corporate networks and steal almost 10,000 user credentials. In May, attackers bypassed MFA through a compromised Google account tied to a Cisco employee’s virtual private network using a various techniques. MFA fatigue—sending multiple push requests to the target’s mobile device to deceive the user into accepting, either accidentally or while trying to silence notifications—and voice phishing (known as “vishing”) were among the tactics used in the attack.
There are also noteworthy technical speedbumps to implementing MFA within an organization of any size. Employees who don’t understand the relevance of incorporating MFA into their daily work routine, don’t trust the technology, or experience complications with accessing to secondary devices, all present challenges for organizations looking to install MFA.
Building Cybersecurity Resilience Beyond Single Measures
While MFA is a tool that can help immensely reduce cyber incidents, organizations must think holistically about cybersecurity to increase resilience and be better prepared for the evolving threat landscape. Here are three tips for SMEs with more limited resources and capacity looking to strengthen cybersecurity:
- Take advantage of free online resources. Investing in cybersecurity does not mean adopting expensive proprietary technology as first course of defense. The Global Cyber Alliance and Mastercard have made a Cybersecurity Toolkit for SMEs that provides actionable guidance and tools with clear directions to combat the increasing cyberattacks.
- Devise a cybersecurity strategy. A strategy or company policy that improves defensive posture around people, processes, and technology can address various factors, including identification, mitigation, and response to cyber threats or compliance with cybersecurity standards or frameworks. Start by understanding data security management risks and include important provisions such as deploying, monitoring, and gathering feedback on MFA from users.
- Build a cybersecurity culture through awareness and skills training. A strong and healthy culture of cybersecurity should be paramount for business leaders. Consider initiatives that ensure employees are well informed of cybersecurity threats with regular or mandated online training to spot risks or vulnerabilities, or an effective internal communications campaign to understand the benefits of MFA. If national or donor-funded skills or awareness training is planned or ongoing in your sector, maximize the participation of employees.
Cybersecurity can sometimes seem like an endless assault or shoring up defenses against ever-evolving enemies. MFA represents a major step in improving cybersecurity and is appropriately campaigned as the focal point of efforts to boost individual and organizational resilience to cyber threats. While acknowledging its inherent benefits, it’s also important to note its limitations to prioritize a well-rounded and consistent approach to improving cybersecurity. Start with measures like implementing MFA within your organization to reduce targets for hackers, but also build a layered approach to cybersecurity that improves internal processes or cyber awareness to transform your cybersecurity posture from reactive to proactive in the face of ever-evolving threats.