October is Cybersecurity Awareness Month: Here’s 4 Things You can do

For the past 19 years, October has been recognized as Cybersecurity Awareness Month in the United States.  This year the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) have collaborated to create a campaign designed to provide information and resources to help educate the public.  Their campaign theme, “See Yourself in Cyber,” reinforces the human element of Cybersecurity.  With this campaign they have established four things you can do to increase your Cybersecurity posture.  To support this campaign Dopkins & Company has released a weekly blog discussing each of these topics:

1. Enable Multi-Factor Authentication
2. Use Strong Passwords
3. Recognize and Report Phishing
4. Update Your Software

While reading these blogs keep the theme (See Yourself in Cyber) in mind.  Each of these key action steps is something YOU can do to increase Cybersecurity at home, work, and school.  While each blog will discuss the actions individuals should take, they will also touch on how businesses can help their employees succeed with each action.

You can view the campaign directly on CISA’s website at https://www.cisa.gov/cybersecurity-awareness-month.

What is Multi-Factor Authentication (MFA)?

You have most likely heard of Multi-Factor Authentication and may know what it is already.  MFA has become a requirement to being approved for Cyber Insurance and on most third-party questionnaires.  Some companies, especially financial institutions, require MFA setup when accounts are created and have enforced requirements on existing accounts.  Many other companies offer it as an optional feature in account security settings.

Understanding MFA relies on understanding both authentication and factors.  Authentication is the process of verifying an identity, or who you say you are (i.e., username/email).  Because anybody can go to a website and type in your email address you need to prove it is actually you.  This is most commonly done using a password, a single factor.  There are several types of factors with the three most common being something you know, something you have, and something you are:

• Something you know is the most frequently used and includes passwords and PINs.
• Something you have is a unique item that is in your possession like a smartcard, USB drive, hardware authenticator or software authenticator.
• Something you are includes biometrics like fingerprint, facial recognition, voice recognition, etc.

MFA uses at least two different factors to provide authentication.  Let’s take a look at examples of what is and is not MFA.

Is MFA:

• A low-tech example is an ATM card (something you have) with your PIN (something you know). Walking up to the ATM with just the card is not enough to withdraw money.  The same is true if you walk up to the ATM without your card and just enter your PIN.
• Substitute the ATM for your banking website. Here you enter a password (something you know) and the code that was sent to your phone (something you have) by text.
• A slightly better version of the previous example is entering your password (something you know) and a code generated on your phone (something you have) by an authenticator app. This prevents the code from being sent over the internet to you and only exists on your phone.

Is NOT MFA:

• Logging into a website with a password (something you know) and a PIN (something you know) is not MFA because it uses the same factor twice.
• Unlocking a phone with just facial recognition (or fingerprint) is only using something you are and no second factor. If this is paired with a password/PIN then it can become MFA.
• Entering a building using your key fob (something you have) uses only one factor.

Importance

Why is this something insurance, banking, and other industries are starting to require? Why is this the first of four items being highlighted by CISA?  Simply put: Humans create weak passwords which act as a single line of defense.  And even strong passwords can be guessed, stolen, and cracked.  For more on strong passwords read our next blog on key action step #2: using strong passwords.  While enabling MFA does not eliminate the need for a strong password, it is an extra layer of protection should it become compromised.

Barriers to Implementing

With all of the attention on MFA there still may be reasons your organization has not enabled MFA everywhere it should be.

• Unaware of software/websites that should have MFA enabled – It is important to maintain an inventory of the software in use throughout your organization. This is especially true for web and cloud-based software.  If you don’t have a record of the software you use it is easy to overlook security settings.  Start by creating a list of all software that is in use and indicate which of them are accessible from the internet.
• MFA is not offered – There is still software that does not support the use of MFA. You should reach out to tech support to see if it can be setup or if it is in development.  It may be time to evaluate the risk involved with continuing to use the software without MFA.  If it is older software that is no longer being updated or supported it may be time to research new options.
• Long list of places to enable – After creating your software inventory you may be left with a long list that will take time to get through. Choose the software that represents the greatest risk if compromised and start there, continuing through the list until complete.
• Unsure which second factor to use – Using any second factor is better than none. While an authenticator is more secure than a texted code, if you can enable MFA via text today and implement an authenticator over time don’t wait on enabling MFA via text.  Software authenticators are apps that can be downloaded right to smartphones.  If employees don’t have capable smartphones, or company policy doesn’t allow for personal phones to be used, hardware authenticators can be purchased or other alternatives researched.