Device management is essential to every organization’s cybersecurity strategy to minimize risk while maximizing efficiency and productivity.
More than 6 million Canadians were impacted by the Capital One data breach that happened this year – and that was not even the biggest breach by any stretch. The biggest data breach is still Yahoo, whose breach impacted more than 3 billion people. Big or small, however, each data breach is costly and damaging – to consumers, to businesses, and to the economy. We can – and should – learn everything we can from these incidents to avoid repeating them. In analyzing security breaches that have occurred over the last 10 years, experts found that the main reasons data breaches occur are:
- Failure to patch
- Human error
- Insider attacks
- Poor mobile device management
Failure to Patch
Too often, a breach occurs because an organization has delayed patching, leaving them vulnerable to hackers. This often happens because the organization does not have a dedicated IT staff, leaving one or more employees responsible for IT on top of their other duties. Those other duties – their “real” jobs – take priority and patching jobs get postponed.
Partnering with a managed services provider (MSP) can help solve this problem and extend the strength of your IT team, whether your team is a whole department, or one person assigned with additional responsibilities. An MSP ensures patches are installed in a timely manner, but they’re also there to monitor your network 24/7.
Clicking links and opening attachments in emails that appear to come from within your organization or from a trusted vendor cause more data breaches than we can measure. It’s possible your organization has malware sitting on your network right now that has been introduced by an errant employee and has yet to have been detected.
While we can never completely remove human error from the equation, we can drastically reduce the number of email-related data breaches by:
- Developing, implementing, and enforcing strict zero-trust policies
- Providing ongoing training to employees to help them recognize potential phishing scams
- Limiting the data to which employees have access
- Requiring multi-layer authentication that includes complex passwords and other access barriers
Insider attacks don’t account for many data breaches, but they can be the most devastating simply because of the betrayal involved. According to the 2019 Verizon Data Breach Investigations Report, insider threats are on the rise, accounting for 34% of data breaches. In one case highlighted in the DBIR, a hacker admitted that when all other efforts failed, he bribed an employee to get him inside the network.
Preventing insider attacks can be difficult; they are often only discovered after the fact during forensic analysis– and often after the employee is long gone. But you can minimize the risk of insider threats by having multiple layers of security, strictly limiting employee and third-party access to data, and by conducting regular audits. Often, insider attacks come from former employees whose access to the network was not terminated; make it protocol to immediately revoke all access to employees who leave – whether they leave on good terms or not.
Poor Mobile Device Management
Mobile phones are being used to conduct business whether you authorize it or not, so your best bet for protecting your organization is to have a highly sophisticated MDM security plan in place that includes the following:
- Strict usage requirements that include installing your security on the device being used and requiring the use of a secure network when conducting business
- Remote wipe capabilities to disconnect the device from your network in the event that it is stolen, or the employee leaves the organization
- A no-tolerance policy for any employee who refuses to comply with the security requirements
Data breaches are not going away, but you can minimize the risk to your organization with strong IT security and a comprehensive disaster recovery plan. You can’t just address one of these issues; you must have a comprehensive, proactive data security program that addresses all of these risks and more.
The ITeam understands the IT security issues facing businesses in Canada. We are committed to helping Calgary- and Alberta-based businesses develop proactive, cost-effective IT strategies that minimize risk and maximize efficiency. Contact us to learn more.
Mobile two-factor authentication (2FA) is not a new concept.
This process has been standard for several years in the banking industry.
Now that technology has advanced, mobile two-factor authentication has moved forward as well, but is anything truly secure with mobile devices?
Although nothing is foolproof, mobile two-factor authentication can be critical to maintaining cybersecurity.
What is two-factor authentication?
Two-factor authentication references other systems that double-check the authenticity of your identity.
It’s an attempt to verify that you are who you say you are, particularly when accessing financial accounts and using credit cards.
Typically, the user enters a password and then verifies their identity a second time by entering a code received via text message.
Mobile two-factor authentication has proven to be valuable for uses beyond banking, and other industries have adopted the security measure as well, including social media platforms and email platforms.
Because hacking into social media or email accounts can disrupt business, access to one password often grants access to other, more important systems.
There are three common authentication methods used in conjunction with passwords:
- Personal knowledge – This is usually a PIN or answer to a secret question: information that typically only the account holder knows. This is the least reliable method of 2FA, as hackers can quite easily obtain personal information.
- Physical device – This verifies the user’s identity based on something that the user possesses, such as a phone or USB dongle. The problem that arises with this method is that such possessions can be stolen, allowing hackers access to secure accounts. They may even be able to intercept text messages.
- Biological factor – Face or voice recognition are becoming more popular, along with fingerprints, signatures, and retina scans. Although these are some of the most secure authentication methods, they tend to be the most expensive to implement and are therefore often unavailable.
The benefits of two-factor authentication
Two-factor authentication demands that you need more than just a password to access your accounts, adding an extra layer of protection to your secured networks.
There are concerns that mobile 2FA in itself poses a security risk, as text messages or calls are not secure.
While still widely used, SMS is no longer a recommended format for 2-factor authentication, as the National Institute of Standards and Technology (NIST) is recommending an alternative to SMS for security purposes.
Luckily, authentication apps are becoming more popular, with the use of one-time passcodes that expire in seconds and vary constantly.
Such apps make mobile 2FA much harder to track, and hackers must employ sophisticated methods for a breach to be successful.
In most cases, hackers will move on to accounts that are easier to access.
So, does two-factor authentication improve security?
The short answer is yes, two-factor authentication does work when implemented properly.
But like everything else, the security is in the implementation.
Biometrics and physical authenticators (such as a USB dongle) are more secure than a text message or social media login to authenticate identity.
Because nearly everyone carries a mobile device in today’s business world, employing two-factor authentication through mobile 2FA, apps, and other innovative security solutions easily accessible to most employees offer another security layer an organization can implement to reduce risk.
Suite 200, 1210 8 Street SW
Calgary, AB T2R 1L3
Suite 200, 1210 8 Street SW
Calgary, AB T2R 1L3
(Mountain Standard Time)
The ITeam $$ (403) 750-2540 Calgary, AB5
stars"The ITeam provides peace of mind with high level security and superb customer service." - Jeff B.