Get the inside scoop with LoginTC and learn about relevant security news and insights.
February 04, 2022 •
The COVID-19 pandemic and the rise in employees working from home has prompted companies to think of more secure ways to keep their private information safe. Despite this shift in thinking, the majority of companies are only protecting certain departments with MFA rather than every user.
“Not putting MFA on all of your applications is kind of like putting a lock on your front door but not your side door or the back door and saying that’s good enough,” said Thomas Sydorowski, CTO at Cyphercor when we asked him about what mistakes companies make when deploying MFA. It’s a good point — if you would take extra measures to protect your house, then why not do the same to protect your company? So why do companies still not protect everything and everyone fully?
The “it won’t happen to me” mentality is a big issue that we see on a regular basis. While hacks are happening on a more frequent basis, some companies still believe that they won’t get hacked because their business isn’t a prime target. This is when the thought of only protecting the departments with the most valuable information occurs. They think, if the departments that contain the important information are protected, then why do we need to protect everyone? Another reason could be budget and the company needs to prioritize the most important departments. Or, they just don’t know the dangers of leaving vulnerabilities when it comes to security.
Believe it or not, even if just one user does not have any form of extra protection against their accounts, a hacker could still gain access to your company information through the employee’s unsecure account. All users, regardless if they have MFA protection or not, have access to your company server, network connection, etc. Leaving just one user without MFA, increases your risk of a data breach.
What does this vulnerability look like in real life?
Let’s say you run “ABC company” and you have four departments: Executives, Admins, Sales and Marketing. You only give MFA protection to Executives and Admins while Sales and Marketing use traditional username and password logins. One day you notice some odd behavior within your database and come to the realization that you have been the victim of a breach. You find out the source of the breach came from one of the Marketing departments accounts. Fortunately, it was a small breach that didn’t have severe consequences, however, you go to your insurance agency and explain the problem and find out that they won’t cover it as you did not have MFA installed for every single user in your company, only half. You now have to pay for the damages out of the company pocket.
This is how last year’s Colonial Pipeline attack occurred. The attack happened because there was no MFA on a user’s deactivated account. The VPN associated with that account was not active and therefore allowed a gateway for the hackers to hack into the company’s private information. While the account was no longer in use, it could still be hacked. The VPN associated with the account also didn’t have any MFA on it meaning that there was no extra layer of security on the VPN making the login super simple for hackers to breach.
When full deployment is not implemented, not only are you risking vulnerabilities for your company but you’re also risking not being eligible for cyber security insurance. Most insurance companies will not provide you coverage if only a partial amount of your company is using an MFA solution. In most cases they’ll deny you completely. If you intend on getting cybersecurity insurance for your company, then there are certain requirements you need to follow.
While it may seem like only protecting your top key assets with MFA is a good idea that’ll save you money, it is actually harmful for your business in the long run and could cost a lot more than you think.
As we’ve said before, MFA is the best way to ensure your company is fully protected against cybersecurity threats and attacks. Nowadays, there are plenty of affordable options for MFA solutions which makes protecting every single user more feasible and can fit within your company’s budget, so you won’t have to pick and choose who is protected and who isn’t. The more you can educate yourself and your employees of the dangers of not having MFA, the better equipped you will be to handle security within your company.