Multi-Factor Authentication Is Critical To Law Firm Data Security
June 24, 2021 in Afinety Cloud Platform, Security
By: Anthony Lansing
Court proceedings are currently disrupted in the nation’s largest law department, with some city attorneys still unable to access case files or documents, due to a hacker infiltrating the network. While the scope of the cyberattack and damage caused are yet to be determined, we do know the cause of the attack – one stolen password.
New York City’s Law Department is not alone dealing with the fallout of cyberattacks launched through network access with compromised login credentials. One stolen password was all it took last month for cybercriminals to shut down the Colonial Pipeline and disrupt fuel supplies.
One stolen password is the most common cause of cybersecurity incidents, being attributed to allowing 61% of all security breaches and occurs in hundreds of companies each year.
These Incidents Are Preventable
Although these incidents are unfortunate, organizations are far from helpless when it comes to preventing unauthorized access from a stolen password and the data breaches that follow. All of these incidents would have been prevented with the implementation of a basic security measure – multi-factor authentication (MFA).
This basic security measure adds a verification factor to the login requirements and prevents anyone but the authorized user from logging in. With MFA implemented, one stolen password is no longer enough to gain access to sensitive accounts.
MFA should be and is required in most large companies, the federal government, banks, law firms, and any other organizations handling sensitive information. If you don’t already, you should have MFA implemented at your firm as soon as possible to prevent the most common security breach.
Password Theft Is Common
Passwords can be stolen or guessed by a variety of means to gain unauthorized access to user accounts. A common tactic used is called credential stuffing, an automated attack where lists of stolen passwords from one breach are matched to potential usernames to attempt another breach.
As an example, LinkedIn was breached and 164 million users had their email addresses and passwords exposed. Adobe had a similar breach affecting 38 million users. Many people reuse passwords despite recommendations not to, so those stolen email addresses and passwords are often reused to try to gain access to other accounts associated with that email address or individual, including firm networks and work email accounts. You can check if any of your accounts are one of the 11.4 billion known accounts with exposed information at haveibeenpwned.com. With these major breaches sometimes taking years to be known, this represents only a fraction of all accounts with exposed information.
Credential stuffing isn’t the only known tactic used by bad actors to steal passwords. Other methods include exploiting browser vulnerabilities to extract passwords, and phishing emails that trick individuals into revealing personal information or account credentials.
Passwords get stolen. It’s a reality of the world we live in. While we should still follow best practices for passwords, such as making strong passwords either through passphrases or ideally password managers, and not using them across accounts, we cannot rely on them as the only factor to authenticate users logging into our systems. We should operate under the assumption that our passwords or someone else’s passwords at the firm are or can be compromised.
MFA Prevents Unauthorized Access
If we can’t trust passwords to keep our accounts secure, what can we trust? The answer is to not allow your critical applications to simply trust that a user is who they say they are because they input the correct username and password. As we know, passwords can be compromised, and that login attempt could be coming from either an authorized or an unauthorized user. You want a way to verify whether a login attempt is coming from the authorized user. Multi-factor authentication does just that.
In addition to the single factor of a username and password that the user knows, MFA requires the user to verify themselves and confirm the login attempt by including another factor that is unique to something the user has or is. It takes seconds to complete and adds a necessary layer of security without unnecessarily inconveniencing users.
With MFA, the login process works looks like this:
- Enter username and password as normal.
- Verify identity using mobile device, telephone, or physical token.
- The system securely logs the user in.
You and your firm members have mobile devices. A verifying factor in the login process could be entering a numeric code generated on an app on your mobile device, or accepting a push notification allowing the login. For individuals and firms that prefer not using mobile devices, a verifying factor could be accepting a telephone call or using a token that inserts into the computer. Most MFA solutions provide multiple options for the users to verify themselves.
Without having access to the physical things an authorized user does, such as their mobile device or phone, unauthorized users cannot complete the login process even if they know the username and password.
Implement MFA As Soon As Possible
In 2021, it’s abundantly clear that multi-factor authentication should be a priority to prevent common and preventable cybersecurity incidents. New York knew this back in 2019 when they mandated its use throughout city departments, but they failed to implement it and ended up in the news with a disrupted court system. Most incidents are not as newsworthy, but still result in damaged reputations, ransoms paid, and documents leaked.
Attempts at cybercrime like breaches and ransomware won’t stop, and bad actors will continue to exploit the low hanging fruit of stolen passwords. MFA is a simple, highly effective, standard security measure across all industries to ensure those attempts do not succeed.
Reach out to your IT department, cloud hosting platform, or MSP today to implement MFA. One stolen password should not be enough to gain access to your firm’s email accounts and sensitive client information.