Most people, when asked to picture a hacker, would describe the assailant as an individual sitting in front of a computer in a dark room, feverishly entering commands to gain access to a specific target of interest and obtain confidential data. Oftentimes, these attackers are depicted actively “injecting” viruses or using backdoors to gain access. Hollywood has helped create these false images, but the reality is much less glamorous.

According to the 2017 Verizon Data Breach Investigations Report (DBIR) – cybercriminals are opportunistic and typically utilize automated and mass “scattergun” techniques, such as phishing, to search for weaknesses with a minimal amount of effort. These weaknesses are then organized and prioritized. Those that show promise are used to mount a more focused attack. More than half of the breaches analyzed involved sophisticated and well-organized criminal groups – not lone attackers. These threat actors don’t just target big corporations, either, as 61% of the data breach victims in the 2017 Verizon DBIR report were businesses with less than 1,000 employees. More concerning is that one in 14 users were tricked into following a link or malicious email attachment – 25% of those users were tricked more than once!

Some organizations believe they have the basics covered with a firewall and a password policy requiring employees change their passwords frequently. In today’s threat landscape – a strong password is no longer sufficient to prevent account takeover. Eighty percent of hacking-related breaches investigated in the DBIR were accomplished by leveraging stolen and/or weak passwords. All it takes is a single phishing email, fraudulent website or malware infection, and a password can be exposed – no matter how complex or often it is changed. As more and more services move to the cloud, access to critical systems housing sensitive data is available from anywhere. So if a password alone is no longer enough to protect our sensitive data – what are our options?

Two-factor authentication (2FA) adds a second method of verification and, often, notification to better secure your accounts. By combining something unique to which only you have access, such as a phone, token, or fingerprint, with your password, you can better prevent attackers from gaining access to sensitive accounts – even if your password is compromised. Two-factor authentication is one of the most effective methods of account takeover prevention when deployed and used effectively. There are many 2FA solutions available today, and an increasingly large number of individual applications can be integrated with one of these solutions for additional account security. These solutions can be deployed to add desperately needed security without hindering the user experience. Modern two-factor authentication methods utilize a mobile application to send an approval notification to your smartphone – adding only a second or two to the normal login process.

Of course, when it comes to protecting company assets and information, implementing two-factor authentication on appropriate systems should be just a small piece of an overall security architecture and policy.

If you would like to learn how RSM can help your technology team implement two-factor authentication and address other technology needs, please visit our website. You can also contact RSM’s Technology and Management Consulting professionals at 800-274-3978 or email us.