Trustwave Blog

The Power of Multifactor Authentication and a Strong Security Culture

Written by | Aug 22, 2024

The business mantra "employees are our number one asset" is true for many reasons. Including helping protect an organization from cyber threats.

An organization can have the finest security technology stack available, employ offensive security measures such as penetration tests, and have a cybersecurity vendor on speed dial in case an incident occurs. However, if its workers are not cybersecurity conscious, all that effort and financial outlay will be wasted.

Trustwave believes and imparts to our clients that an organization's number one cyber hygiene and defense control is, in fact, each of its employees. We practice what we preach by developing a culture of security across our entire business. While some may say a cybersecurity company has to have this mentality, the truth is a security-first approach can be implemented by any organization, large or small. It just requires management to make security a priority.

Cybercriminals demonstrate time after time that they will target employees. They will not only go through corporate systems. Still, they will use any publicly available information to target personal accounts to glean just enough information to build a successful social engineering campaign or perhaps figure out login credentials. According to the FBI's 2023 Internet Crime Report, email-based attacks (phishing, business email compromise, and spearphishing) continue to be adversaries' top method to gain a foothold in any organization.

The good news is the power to help defeat these attacks lies within everybody's reach. It just requires bit of technology that everyone likely already uses, and the second is education.

Let's start with technology, which is multifactor authentication or MFA. As many people have likely experienced when accessing a bank or health record a website might send a several digit code via text or email that has to be inputted in order to continue the login process. Not all login processes come with MFA turned on. If not activate MFA.

Not all MFA is the same. If possible, turn on MFA using an authenticator app; do not rely on SMS text messages and phone calls unless an authenticator app is not supported.

Review your secondary security questions for authentication. Do not use responses that answer questions threat actors can and will look up. Remember how we noted earlier that an attacker will search your social media footprint for clues? This means you must go the extra mile and think a bit out of the box when generating an answer.

Here's how you can strengthen your security with MFA:

  • Prioritize important accounts: Focus on protecting accounts that hold sensitive information, such as banking, health, and personal data.
  • Use authenticator apps: Whenever possible, opt for authenticator apps instead of SMS or phone calls, as they offer a higher level of security.
  • Strengthen security questions: Avoid using easily guessable answers to security questions. Create unique and memorable responses that are difficult for hackers to determine.
  • Implement strong passphrases: For accounts without MFA, use long, complex passphrases instead of short passwords. A combination of five random words is often more secure.

 

Educate Workers on the Top Email Security Best Practices

To safeguard against cybercriminals, organizations must prioritize email security and establish a comprehensive defense strategy to protect this vulnerable attack vector. Here are some essential measures to implement.

Conduct regular security training. It is essential to provide annual security training refreshers for all employees. This training should cover topics such as phishing awareness and overall security practices.

By educating employees about the types of attacks they may encounter, organizations empower them with the knowledge to recognize and respond to threats.

Security teams should remind staff members to request a second form of verification and validation before making any changes to bank details or initiating payments over email. When in doubt, trust but verify. Each of us has the opportunity to be a cyber ambassador throughout our communities. Chat with your family, friends, and peers.

By insisting upon continued vigilance and leading by example, an organization's leadership team can impart the importance of cybersecurity and build a team mentality that everyone is needed to protect not just the organization but also their own information. Your team is your greatest defense against those who seek wrongful financial gain and harm.