The last couple weeks have brought a few discussions on the topic of multifactor authentication or MFA (sometimes also referred to as 2FA or two factor authentication). These discussions have been driven by the SEC’s X (formerly known as Twitter) account being hacked in order to goose the price of Bitcoin. This raised a lot of questions, ranging from whether there is a political bias around the SEC not using MFA (no), to whether the SEC can now be trusted (yes it can), to just simply how the heck could that have happened. Let’s dig into some of the lessons organizations can learn from this.
First of all, from a corporate policy perspective MFA is widespread. 87% of organizations with over 10,000 employees use it, and in organizations with between 26 and 100 employees it drops to 34%. Within technology companies it is 87%, with only 39% of transportation and warehouse companies using it. From these and other statistics one might guess that while MFA is still increasing in usage it is already there as a standard and best practice. Credit and thanks to Resmo for their recent blog and updated statistics on MFA that this came from: 40+ Multi-Factor Authentication (MFA) Statistics to Know in 2024 | Resmo
That brings us to a confession (of sorts). Viakoo is used by security professionals across a large number of verticals, people who would in their normal working life be exposed to security issues almost constantly. Viakoo supports and recommends having MFA turned on. Yet only 2% of Viakoo users have MFA on their accounts. True, some are entering using a single sign-on (SSO) and are within their corporate security environment, but still a small number.
Perception of what is at stake varies greatly; a corporate employee might think it’s just an X account and no big deal it does not have MFA, while a threat actor views it as a way to illegally gain millions in profit. An employee might view it as an uninterruptable power supply and no big deal it’s never had its firmware patched, but a threat actor views it as a way to gain entry and move laterally within the organization. That’s really the heart of the SEC issue, and part of a bigger issue in the difference between corporate security policy and what individuals or teams might do. An organization may require MFA on all critical corporate systems, but does that always translate to a service like X being considered as a critical system and the entry-level marketing person who manages the X account taking the extra time to set up MFA on it, especially when no one asks them about it?
Much of an organization’s attack surface exists outside of IT, specifically in IoT systems which are managed by the line of business. The motivations within the line of business are many (profits, deliveries, compliance, etc) and often outweigh security considerations. That’s why many IoT devices live within corporate networks still using default passwords, with unpatched firmware, and not using certificates to encrypt traffic. Taking an already over-burdened team and adding more responsibilities that they do not get judged on meeting is a recipe for having corporate security policy not followed.
How should organizations do better in closing the gap between what they say and what they do on security? Here are three key points to consider:
Final word of advice: don’t let what happened to the SEC happen to you. Especially if your organization is IT focused in security audits, start now to bring in other parts of the team to ensure that the whole organization is following best practices. Viakoo is here to help, and has worked with many organizations to ensure that all devices (not just IT) are visible, operational, and secure.
The post Confessions on MFA and Security Best Practices appeared first on Viakoo, Inc.
*** This is a Security Bloggers Network syndicated blog from Viakoo, Inc authored by John Gallagher. Read the original post at: https://www.viakoo.com/blog/confessions-on-mfa-and-security-best-practices/