Why MFA alone isn’t enough: The crucial role of security awareness training
MFA is not infallible and should be complemented by additional defenses
The evolving and sophisticated nature of phishing campaigns has allowed cybersecurity threats via email to penetrate organizations more effectively than ever before. Credential phishing was the threat of choice in 2023, accounting for 91% of active threat reports published. This represented a 67% increase in volume compared to 2022, which can be attributed to the increased effectiveness of cyberattacks that exploit stolen credentials, particularly in environments lacking robust Multi-Factor Authentication (MFA).
An example of this is the Change Healthcare cyberattack, where stolen credentials were used to access a server that lacked MFA. This absence was attributed to the company’s recent acquisition by UnitedHealth, which was in the process of upgrading the systems. This breach exposed the sensitive health data of millions of Americans, underscoring the critical need for basic cyber hygiene, including robust password management and MFA.
Cyber Intelligence Team Manager at Cofense.
Going Beyond MFA and Unique Passwords
While implementing these fundamental security measures is essential, they are only one part of a comprehensive security strategy. Relying solely on complex passwords is insufficient. Passwords must not be reused, as the compromise of a single password on one platform can leave an individual vulnerable to threat actors who frequently attempt to reuse the same credentials on other accounts.
The recent RockYou2024 incident leaked nearly ten billion unique passwords on a popular hacking forum, reiterating this critical need for unique passwords. Security experts have long emphasized the need to avoid password reuse and to leverage password managers to enhance account protection. Some password management even offers advanced features that can scan leaked password databases and alert users to potential vulnerabilities.
While the implementation of MFA is important to stand as a layer of defense against threat actors, it is not infallible, and should be seen as a security practice complemented by additional defenses. The emergence of MFA bypass kits has demonstrated that these security measures can be circumvented. One recent example of this is the Tycoon 2FA bypass phishing kits. When individuals fall victim to these sophisticated attacks, they inadvertently grant threat actors access to their accounts, effectively bypassing MFA protections.
This underscores the critical role of human vigilance in safeguarding against these evolving threats. Essentially, these phishing kits have reset the phishing arms race to where we were before the advent of MFA, where the primary defense against account compromise lies in the ability of individuals to recognize and avoid phishing attempts.
The Need for Human Vigilance
Threat actors are continuously looking for new ways to breach systems. Attackers take advantage of weak links in organizations, targeting employees with password expiration scams, and phishing emails that are becoming increasingly realistic. To effectively combat this growing threat, organizations must adopt a comprehensive proactive approach that extends beyond technical measures. Investing in security awareness training and education is crucial to empowering the workforce to become the first line of defense against cyberattacks.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Training employees across a company is one of the most substantial actions an organization can take to defend itself against threat actors, particularly in educating staff about the dangers of phishing emails from seemingly credible sources. This includes urgent requests for personal information or suspicious links and attachments.
Basic cyber literacy is becoming more common, but truly instilling a sense of suspicion when it comes to online interactions and activities takes time and serious investment on a company’s part. By equipping employees with the knowledge and skills to recognize and report phishing attempts, organizations can significantly reduce the risk of successful attacks. The reality is that a single employee falling victim to a phishing attack can have catastrophic consequences for the entire organization, with the potential for significant data breaches, financial losses, and reputational damage.
Organizations should establish a straightforward reporting mechanism and equip employees with the necessary tools to swiftly eliminate phishing threats. Training employees to spot malicious messages can significantly reduce the risk of falling victim to these scams and compromising sensitive data. Providing ongoing training and resources, along with encouraging open communication about potential threats, fosters a positive culture of cybersecurity awareness. Employees should feel comfortable reporting suspicious activities without fear of retribution, understanding that their vigilance contributes to the organization's security.
By investing in both technical and human-driven solutions, organizations can create a more resilient defense system capable of withstanding sophisticated cyberattacks. This comprehensive approach not only enhances immediate security but also builds a foundation for long-term protection against evolving threats.
We list the best business password managers.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
Max Gannon, Cyber Intelligence Team Manager at Cofense.