Why Multi-Factor Authentication (MFA) Is Just the Beginning
It is true that implementing MFA in any form is much better than not having it, just like having better locks at your place of business, but there is a widely-touted statistic that is extremely mis-leading.
A few years ago Microsoft released a paper indicating that 99% of the businesses whose breaches they had assessed did not have MFA deployed, but this is a functionally meaningless number for several very important reasons:
- the breaches in question were online account takeovers, which gives no allowance for the countless other public-facing services every company has nowadays
- at the time, fewer than 25% of companies had MFA deployed in any form at all, so automated attacks on accounts and the use of stolen credentials by cyber-criminals were both "easy"
- it was impossible then, and is still impossible, to apply MFA everywhere, application security simply isn't that advanced yet
But in spite of these glaring flaws in the argument, the vast majority of insurance companies, and many vendors, are touting MFA as a panacea, when it is really just one tool of many, and failing to implement an appropriate over-arching cyber-security plan above and beyond MFA will result in as many breaches as ever. The better locks are good to have, but open windows are also potential points of entry.
But this analogy is far too simplistic, your attack surface is manifold, multi-dimensional, and constantly changing:
- every public-facing corporate service (websites, VPN, remote access, email, etc)
- every corporate device that can reach the Internet (including printers, wifi, embedded systems etc)
- every employee's personal devices that access corporate resources in any way
- every application which handles data for customers or vendors
...and every customer or vendor with which you exchange data is themselves an extension of your attack surface, as a breach of their systems affects you as well, either directly (attacks daisy-chaining into your systems) or indirectly (lost production and supply-chain interruptions).
In short, there are numerous vendors out there selling a vast array of cyber-security services, but without a comprehensive understanding and assessment of your entire environment, and a plan to for assessing future changes to it and incorporating that information into your cyber-security regimen, all their wares will be far less effective while simultaneously providing a false sense of security that will almost certainly lead to a negative outcome down the road.
Executive summary: do implement MFA, but don't stop there, it's just the first step of the journey.
