The sudden transition to remote working has left many businesses with an increased vulnerability to cyber attacks. Cyber criminals have exploited gaps in corporate IT infrastructure, the increased use of personal devices for business use and a lack of robust IT security to steal data, compromise IT networks and divert funds.
Since remote workers may be operating on less secure networks at home, implementing a virtual private network (VPN) and multi-factor authentication reduces the likelihood of cyber criminals gaining unauthorised access to systems.
2 Factor (2FA) or Multi Factor Authentication (MFA) is nothing new, in fact it has been around since the mid 1980’s and used in various formats ever since. Put simply, it adds a second layer of security by requiring two separate verification stages in order for a user to gain entry to the system or access critical applications or data bases. The vast majority of businesses only have username and password as a standard verification stage, but 2FA requires an additional stage to authenticate that the user is the person they claim to be.
The two verification stages can be based on the providing of two different elements from the following:
• A password or pin
• Physical device such as a mobile or software application that generates a one-time password
• Biometrics such as finger, voice or retina prints
Protect from email inbox jacking
There have been a significant number of claims recently where cyber criminals have obtained an employee’s log in credentials (usually from a phishing email or via the dark web) and used them to remotely access corporate IT systems and staff mailboxes to issue fraudulent invoices or ransomware to customers and suppliers, causing legal ramifications and reputational damage.
Privileged Access Management
In addition to securing remote access, MFA is also a useful tool to protect mission critical applications and data. Staff with IT Admin rights have the capability to access highly sensitive data and to carry out actions which could alter configurations of or indeed delete software applications. If attackers gain a foot hold in the system, for example following a phishing attack, they will seek to elevate their permissions and will try to compromise the credentials of privileged users to gain access to the “crown jewels”. Requiring privileged users to utilise MFA to access critical IT assets will significantly improve their security.
Flexible solutions available for businesses
Despite the challenges of remote working, there are a number of simple, cost effective 2FA packages available to businesses:
• SMS Token – most common method, a dynamically generated code sent via text message which is then used to log into the system
• Email Token – same as an SMS Token but is instead sent to the user’s email address
• Hardware Token – user is given a physical device such as a key fob or a USB dongle that generates a code to input to the log in portal (similar to how HSBC used to manage online banking log ins)
• Software Token – an application is downloaded onto the computer/mobile device that generates a token as part of the log in process
• Phone call – a token is provided via a phone call to complete the log in once the username and password is verified
• Biometrics - uses fingerprints, retina scans and voice recognition to log in
Many commonly used applications, such as Microsoft Office 365, and Cloud platforms, such as AWS, already facilitate MFA and it is a relatively simple process to activate and configure for use. Alternatively standalone solutions are readily available, at a modest cost, which are easy to install.
Staff training remains key
Each of these solutions have their own advantages and businesses should select a service that matches their cyber security requirements and operating models. Our risk control and underwriting experts are available to discuss risk mitigation and loss prevention strategies.
Lastly, staff training is critical. A thorough, ongoing cyber awareness programme and training, including regular phishing exercises will embed best practice into a company’s culture.
Nick Bellamy
Risk Control Director, Cyber & Tech |
|
Martyn Janes
Cyber & Tech Underwriter |
CNA Hardy’s cyber proposition
Our cyber solution provides a range of cutting edge risk management and loss prevention services that are designed to mitigate cyber risk and support policyholders with cyber security.
Pre-breach prevention services include IT security analysis and reviews, malware and web vulnerability detection with GamaSec, penetration testing and cyber education for staff.
If a policyholder has a suspected breach then immediate breach assistance is available with just one phone call. Our partners include forensic IT investigators, legal services, crisis and PR agencies who offer guidance and support during and after a cyber attack.
Find out more about our cyber solution.
Further reading:
COVID-19 and Remote Working: Protect your employees and your business from cybersecurity risk
SME Cyber Threats 101: Phishing & Cyber Attacks
SME Cyber Threats 101: Impersonation Fraud
SME Cyber Threats 101: Malware