When MFA Isn’t Enough: Enterprise-wide Protection for Your Org

Security leaders need more than MFA when it comes to securing their organization, and any CISO, IT Director, or Executive in 2023 knows it. 

Cybersecurity Awareness Month is an excellent time to focus on best practices, raise employee awareness, and understand what it really takes to keep your base secure. No technical jargon or getting lost in the weeds— just a quick, concise overview to present the big picture and give decision-makers the roadmap they need to steer the ship coming into the holiday season this fall (and all the threats that come with it).

Simple as it may sound, passwords play a critical role in securing business data and assets, no matter how complex the rest of the digital world gets. Passwords are still the key used by online services to grant access and by email providers, digital databases, and cloud storage centers the world over – not to mention everything else that business runs on. Their importance in the grand security equation cannot be underestimated, and their protection should not be overlooked. 

The Verizon 2023 Data Breach Investigations Report notes that over 50% of all breaches are caused by stolen or compromised credentials. Simple math states that if you cut down on password problems, you've closed the door to most of your breaches. And what company wouldn't want to do that? 

Password Policies and Best Practices

If weak passwords form the root of most breaches, then strong passwords – and strong password policies – are the primary solution.

Employees. And not all employees are well-versed in good password behavior. Effective policy needs to come from the top down, and Cybersecurity Awareness Month offers an excellent opportunity to leverage industry momentum. 

Educate your team on the use of password managers and invest in a Security Awareness Training solution. Don't hesitate to set company-wide guidelines on what constitutes a secure password. After all, these are corporate assets they're safeguarding. While you can't monitor their personal password habits, the skills they acquire at work will likely carry over into their personal lives. Everyone wants to stay safe..

Passwords should be sufficiently complex (try a random password generator), which typically means at least 14 characters, lower case, upper case, number...you know the drill. But your employees might not. Also within a security decision-maker's purview is determining how frequently passwords should be rotated on company assets and when they should expire.

Password Management Solutions

Enterprise password management solutions offer a  top-down approach to not only encourage safe credential practices but to enforce them. These tools can help those within your organization in storing, managing, and even creating passwords that can take trillions of years to crack. That’s far more secure than anything users could come up with on their own. 

These solutions save both time and money. The average firm spends a startling $5.2 million per year on password resets alone. If employees could manage their own passwords via a corporate password management solution, more than cycles could be saved.

Passwordless Authentication

Are traditional credentials still not secure enough? While most of the business world continues to rely on them, passwordless authentication is rapidly shaping up to be the login method of the future. 

Passwordless approaches include:

• Biometrics (retinal scans, facial recognition, EKG)
• One-Time-Passwords (OTP)
• Smart Cards
• Token-based authenticators (i.e., Yubikey)
• Magic links

And more.

The benefits of passwordless authentication are numerous. It is impervious to credential-based attacks like brute forcing, keylogging, credential stuffing, and man-in-the-middle attacks for obvious reasons. And it lightens the load for users by not requiring them to remember or keep track of lengthy combinations. No more resets, no more hassle. Users can access their services using things they conveniently have on hand, like their phone, face, or a small token on their keychain.

Employee Training and Awareness

All the best practices in the world amount to nothing if the users they're intended for are unaware of them. This understanding is crucial for establishing, sustaining, and maintaining robust authentication in the workplace. Employees require ongoing training in password security, as adversary tactics are continually evolving. What was considered secure five years ago may now be easily exploitable. Cybersecurity awareness training for employees should be a continuous effort, not a one-and-done event.

Awareness campaigns are a great way to get the word out about strong password policies. From Auburn University’s “Treat your password like your toothbrush” campaign to The Cybersmile Foundation’s teen-targeted ads to prevent password sharing, security awareness campaigns are effective ways to bring cybersecurity practices to non-cyber-oriented users.

Creative approaches are both welcome and useful for spreading awareness. Whether it's displaying posters in the break room (yes, those are still effective), maintaining leaderboards for those who consistently pass surprise password tests, or leveraging social media with Cyber Champions (influential individuals who can help disseminate the message), don't hesitate to think outside the box. Keep in mind that as security practitioners reading articles like this, we're often preaching to the choir. Don't be afraid to state the obvious and highlight the basics. Not everyone has a background in technology, and a security awareness campaign focused on fundamental principles might be exactly what your company needs.

Password Auditing and Monitoring

While password creation is ultimately the responsibility of the employee, password monitoring and enforcement fall under the purview of security. Credentials should be regularly audited to ensure they align with strong password policies and corrected if they do not.

Organizations can detect suspicious instances of password use by keeping tabs on a few things. 

• Monitor for brute force attacks by seeing how many times a user has attempted to log in within a certain amount of time. Set limits so your team is alerted when the number has crossed the line.
• Investing in an identity and access management (IAM) solution is also advisable. In addition to facilitating secure logins, many authentication tools can check whether a newly created password has been compromised in a previous breach.
• Employees can self-monitor by checking their passwords against databases like haveibeenpwned.com, as no one likes to be deceived. 
• To protect against Man-in-the-Middle attacks, encrypt your router. This will block "sniffers" at the entry point.
• Specific Splunk searches can help prevent password spraying attacks in Active Directory environments.

After detecting potential attacks, the most crucial step is to have a well-prepared response mechanism in place. Real-time alerts should go directly to the security team, triggering either playbook or autonomous incident response protocols. 

Vigilance is Key

Security leaders must be vigilant in barring the door against attackers looking for easy entry points. Unfortunately, password-based attacks are among the most ubiquitous and effective, primarily because they are simple to execute and the margin for error is wide. 

Everyone and their employer use a password, and as the Verizon 2023 DBIR states, human error plays a part in 74% of breaches. We are prone to make mistakes, which is why carefully crafted, well-rounded password security approaches are needed to cut those down to a minimum. 

Employees trust security leaders to "watch their six." By capitalizing on initiatives like Cybersecurity Awareness Month and implementing secure practices, we can fulfill that trust.

Find out how ZeroFox can protect your organization against Account Takeover (ATO).