Hit enter to search or ESC to close

Why Passwords are Not Enough: The Power of Multi-Factor Authentication for Business Security


Expert insights from John Heerey, Virtual Chief Information Officer (vCIO), IT Force, an Ekco company

The threats to businesses today are very different to what they were 10, or even 5 years ago. 

One of the most vicious threats is a cyber security breach, which can lead to loss of revenue, impaired business operations, and damage to reputation. As someone who has been in the IT industry for over 25 years, I have seen first-hand how cyber threats are continually evolving, even over a matter of months, as hackers find new ways to infiltrate company networks and systems. Whether your organisation has 10 employees or 1,000, is generating €1 million in turnover or €100 million, hackers are always trying to get to the data you have – if they haven’t already. The IoD Ireland Director Sentiment Monitor Q4 2022 showed, for example, that 41% of its surveyed members had experienced a data breach, with 46% of these breaches occurring over the past year.

What is Multi-Factor Authentication? 

Fortunately, there are a number of measures that companies can take to improve their security posture, and you've most likely implemented some of these, such as firewalls, intrusion detection systems, and anti-virus software. One of the most vital, yet often overlooked, security measures is multi-factor authentication. Although you may not be familiar with the term, you’ll definitely be familiar with using it, most likely with online banking. Multi-factor authentication, or MFA, is a security process in which a user is required to provide two or more different types of authentication factors in order to verify their identity and gain access to a system or account. If any of the required forms of identification are missing or incorrect, access is denied.

Things You Know, Things You Have, and Things You Are

The three main types of MFA authentication methods are:

  • Things you know (knowledge), such as a password or PIN.
  • Things you have (possession), such as a device like a smartphone.
  • Things you are (inherence), such as voice recognition or biometric fingerprints.

By requiring multiple factors of authentication, MFA can greatly enhance the security of a system, as it becomes more difficult for an attacker to gain unauthorised access, even if they obtain one of the factors.

In practice, what this means for businesses is that when employees or contractors try to sign into your company network, it’s not enough for them just to provide their password; they need to also prove their identity in another way. The most common of these is via a mobile app, where employees respond to a push notification from the app or go into the app to get a code they can enter on their computer. 

An Additional Layer of Security

The truth is, one of the weakest links in a security system is the human factor, which refers to the role that people play in the security of digital systems and data. Weak passwords are one example of how people can leave companies more vulnerable to an attack. Using the same or similar passwords that they have on other online platforms is another example. 

The recent Microsoft Digital Defence Report 2022 revealed that the frequency of cyber attacks that rely solely on passwords has surged to approximately 921 attacks per second globally. This marks a 74% increase in just one year. The idea of all hackers being ‘cyber geeks’ holed-up in basements is very far removed from the reality of cybercrime, where there are numerous organisations that have high tech tools and talent to crack passwords and infiltrate networks within a matter of minutes. For example, this article from Wired gives some intriguing insights into the daily operations of the notorious ransomware gang Conti, which was responsible for the attack on the HSE, causing widespread disruption to Irish healthcare services for several months in 2021.

With MFA, companies are given an additional layer of security. MFA has proven crucial with the rise of remote work, as employees have been logging into company networks from different locations. In addition, more and more businesses are being required to have MFA in place in order to meet the compliance requirements in certain industries, such as healthcare and finance, and as a prerequisite for cyber insurance.

How Can My Business Implement MFA?

Companies have multiple options to implement MFA, based on their unique requirements. Here are some common methods that businesses can use for MFA installation:

  • Cloud-based MFA services: Several cloud-based services, such as Microsoft Azure and Google Cloud, offer MFA as a service. These services can be set up to provide MFA for cloud-based and on-premises applications and services.
  • Hardware tokens: Some businesses use hardware tokens that generate one-time passwords (OTPs) for MFA. These tokens are devices that employees carry with them, such as mobile phones, and use in conjunction with their regular login credentials.
  • Software tokens: Software tokens are often paired with a mobile device. Employees install an app on their smartphone, which generates a unique code for MFA. This option is offered by some cloud services, as well as standalone software providers.
  • Biometric authentication: Biometric authentication, such as fingerprint or facial recognition, is a viable MFA option for some businesses. This approach can be effective in providing MFA without requiring employees to carry a separate device or memorise a code.
  • Hybrid solutions: Some businesses may use a combination of the above methods to provide MFA. For instance, a company might use hardware tokens for certain employees and software tokens for others, depending on their job role and access requirements.

In a world where cyber threats are constantly evolving, businesses cannot afford to have a lax approach to cyber security. MFA is not just a ‘nice to have’— it’s an essential practice that we at IT Force advise all of our clients have as a minimum layer of security.  Investing in a robust cyber security strategy is not just about protecting your business from external threats; it's also about empowering your business by providing a secure digital environment for your employees and partners, to enable them to be more productive, collaborative, and innovative. 

Ekco, in collaboration with Microsoft and Ireland’s National Cybersecurity Centre (NCSC), recently authored a new Secure Configuration Framework for Office 365, which provides guidelines for organisations of all sizes on how to optimally configure Office 365 – with a specific emphasis on security. You can also contact Ekco for a free Microsoft Secure Score assessment, which measures your organisation’s security posture.