Choosing multi-factor authentication strategies and technologies is like any other technology, but with a twist. Selecting a marketing app requires a business case and looking at return on investment. In the case of security tools like multi-factor authentication (MFA), there is one additional dimension to consider. You need to look at cybersecurity risk and determine whether a given tool or technique addresses your risks.
Review Your IT Security Risks First
Every IT security technique, technology and process carries a cost. That’s why you need to question the risk mitigation benefits of changes before implementing them. For example, if your organization has significantly expanded the use of cloud applications, you will need a security program capable of keeping up with those challenges. If it has been a while since you identified your IT security risks, we have some suggestions. Use this checklist to help you identify possible issues:
1) Has the organization suffered a cybersecurity incident in the past year? If so, what are the lessons learned from that event?
2) What has changed in the organization’s technology landscape – hardware, software and configurations – in the past year? Have significant changes been reviewed from an IT security perspective?
3) Has the organization leveraged a third party to assess their cybersecurity? This practice can take different forms depending on the complexity and scale of your business.
4) What new products and services have been launched recently? Do these initiatives change your IT security exposure? Also, have you changed the nature of your services, such as adding an API in the background to enhance the product?
5) Do you have useful IT security metrics to measure issues like inactive user risk? Without ongoing monitoring, it is impossible to measure your security situation accurately.
6) To what degree is IT security supported by senior management? When executives ignore security concerns, security issues become more likely. You can also look at funding for the IT security department – if their budget requests are routinely cut, you may not adequately control your risk exposure.
7) How much does the IT security department rely on manual processes vs. software tools? High reliance on manual work means keeping up with business changes will become more difficult.
Once you complete answering these questions, you may be surprised by the results. Most people we know in the industry find they face more IT security risks every year. If you find that you have unmanaged IT security risks, it’s time to find solutions.
Measure The Effectiveness of Your Multi-Factor Authentication Program
Now that you have a refreshed view of your IT security risks, let’s take a look at how multi-factor authentication factors in. Some solutions, like requiring advanced security training for software developers, are only relevant to a small part of your staff. On the other hand, multi-factor authentication has the potential to impact security across the enterprise positively.
To measure your MFA program effectiveness, ask two questions:
What percentage of end-users have used MFA in the past 30 days?
What percentage of the organization’s IT assets are covered by MFA?
You might find you have proper coverage, such as 50% of users and 80% of systems. If so, congratulations! Now, you can look at enhancements such as using specialized hardware.
What Is The Benefit Of Multi-Factor Authentication Hardware?
Using specialized devices like authentication “keys” improves security control. These devices also make hacking more difficult to achieve, because one would need to break the device’s security as well as a password. On the other side of the coin, special hardware multi-factor authentication (MFA) increase the burden on your employees. They face the risk of employees losing these devices while traveling or forgetting them at the office. Given these issues, you may wonder when it makes sense to use specialized multi-factor authentication. We have identified three situations where the benefit of using MFA hardware devices outweighs the costs.
Some users have significant access privileges. If those user accounts were misused or compromised, there would be a meaningful impact on the company. For instance, an IT manager might have administrative privileges such as adding, changing or removing access manually for all users to a financial database. In that situation, asking such managers to use a hardware authentication device makes sense.
Other users are likely to have higher risk like senior executives as well. To identify high-risk users who may need added protection from a special hardware device, ask yourself the “nightmare scenario” question. If a hacker obtained access to the CFO’s user account, they could carry out significant damage! In contrast, there would likely be relatively less risk associated with a financial analyst with read-only access to accounting systems.
Supplement your analysis by examining high-risk data that merit additional controls. For example, you may have a system for activating or deactivating a customer’s account. Adding an MFA hardware authentication device, in that case, may be warranted.
Finally, look at cases of high-risk contexts that increase IT security risk. For example, you may have a large sales department that frequently travels internationally. Traveling professionals face risks such as losing a laptop or having a device stolen in airports, hotels or other locations. In these cases, requiring users to use special hardware authentication devices is a smart option. After all, stealing multiple devices (i.e. a laptop and a hardware device) and knowing how to use these together to gain access is unlikely.
What About Everyone Else?Few companies will require all users to adopt special hardware for multi-factor authentication in all cases. That would be impractical. Instead, use these devices to mitigate high-risk situations. For the rest of your users, you will need to use other techniques and systems to address IT security risk. Your options include training employees to avoid password reuse disease. You can also use access management metrics to detect problems. Ultimately, using a variety of access management methods (e.g. training, special hardware devices, central IT monitoring, etc.) is the best way to mitigate risk while minimizing disrupting employee productivity.