Back to all Blogs »

To be Effective, Cyber Security Must be Simple

Darran ClareAccelerate Technologies have seen many reasons why businesses avoid implementing multi-factor authentication security to their users. Whilst they are all compelling, they are all challenges that are addressable through a mix of setting expectations, providing clear, regular and guided communication and technology that is seamless to deploy and simple to use.

Multi-factor authentication technology provides unquestionable advances to password-only account security, preventing a threat actor from accessing an account even if they have obtained a user’s password. So why, when many Cloud SaaS applications (e.g. Office365, G-Suite) offer MFA protection for free, businesses have still not implemented it as a high priority to mitigate the risk of account compromise?

Continue reading as we discuss more around some of the challenges we have seen when deploying MFA in organisations and how each of them can be assessed individually and resolved.

1. Deploy in stages

To successfully roll out multi-factor authentication, we need to be clear about which systems need protecting and that means understanding which applications or perimeter access (VPN’s) are accessible publicly and which systems may hold critical data. There will be many instances where Legacy applications may interfere with our ability to deliver a single technology solution, but it is important to review all technology available and select the best fit for the majority of the requirements.

Deploying MFA at scale is also not straightforward and while the eventual goal is to deploy MFA to everyone, focusing priorities towards the applications and users that face the biggest risk of compromise is the best approach.

2. Resistance to change

An area IT security teams will face many times is employees and in some instances executive resistance to change. Such resistance may stem from many reasons, each of them extremely important to be aware of and to get right when implementing new technology that will directly affect the user on a day to day basis.

  • Fear of the unknown
  • Not being consulted
  • Lack of communication
  • No clear benefits or value
  • Unclear on the need for change
  • The effort required to learn
  • Lack the skills to use it
  • Hardwired habits

We should always anticipate the reasons why employees might be reluctant to use new technology before it is introduced.

3. Corporate vs Personal

We see a lot of users in organisations that have multiple devices, a mix of corporate and personal but many users don’t require a corporate mobile device to carry out their role and are reluctant to install any Application the organisation requires for productivity, let alone security. Offering a choice of factors will help to get users on board with the change, allowing them to pick the one that best suits them.

One solution to the use of personal devices could be SMS codes, something that is used by many organisations today but is also reducing in use over time. It has been noted that SMS tokens may present security concerns with research showing that SMS tokens may be compromised when delivered through SMS.  The threat is not particularly in the delivery method but more in the threat of a user’s mobile device being compromised through the installation of malicious applications or malware-infected emails, all of which is outside of the control of an organisation’s IT department.

The alternative and preferred option by many organisations are to utilise a smartphone app, which does not require the user to hand over control or monitoring of a personal device. But this option should still be approached with caution as all published mobile applications will have a minimum supported OS version and it would be wrong to assume that every user in the organisation has the latest smartphone with the most up to date OS.  Therefore, it is very important to consult users in the process and technology selection from the outset, along with a collaborative relationship with HR teams to instil cultural change and understanding of why the business needs user’s assistance to protect themselves as well as the organisation.

4. Authenticate only when needed

It is important to make sure that multi-factor authentication solutions deployed are not onerous to use and only request additional authentication when needed. Protecting sensitive data and critical systems through strong authentication is critical, but if security demands MFA authentication to occur numerous times in a day or even a week, complaints will increase and users will resist or look for ways to get around the additional security steps, something seen previously with overly complex password policies.

Technology through single-sign-on (SSO) makes it feasible to reduce the number of these authentications presented to the user, recording and recognising known devices, OS levels, web browsers and in many instances’ corporate networks or geographical locations of users. Single-sign-on (SSO) improves the users’ experience of MFA and should not be a consideration but a necessity when choosing the right MFA solution.

5. Distributed workforce

As organisations transform the way they work through technology and connectivity, a larger proportion of the organisational workforce is working from remote locations.

Deploying new software to a distributed workforce through managed corporate devices has become a regular and repeatable process that several organisations are comfortable with and have understood how best to manage the process and achieve success. But as we have seen with previous initiatives like bring-your-own-device (BYOD), deploying software and introducing new procedures and processes, bring a whole new set of challenges, especially when performed at distance to the user.

With Social Media driving new behaviours and user interaction, Accelerate Technologies have delivered successful MFA deployments by complementing the rollout with short, simple and on-demand video content that captures attention and delivers the message and guidance effectively. Whether deploying to office users or distributed workforce, making use of custom video content that guides your users through the process, whilst having relevancy to your organisation and applications provides an effective and efficient way to roll out MFA to your user base.

Watch how to deploy O365 MFA

6. Help at hand

During any major rollout of software or processes to users, there will undoubtedly be failed enrolments, sign-ins and account lockouts. Even with the best training or guides, failures from legitimate users getting the process wrong will occur and they will need assistance to get working again.

It is important to spend time planning how these users will be supported during the rollout as well as the ongoing support the users will need for lost or new mobile devices or general problems logging in with another step in the authentication process. Similarly, it is important to change any existing processes that deprovision user entitlements or tokens when employees leave an organisation.

7. Measure and Monitor

Implementing multi-factor authentication isn’t a quick win like the flick of a switch and in many ways is one of the reasons organisations are reluctant to proceed, but the level of protection and risk mitigation it offers is extremely compelling and effective.

Being conscious that any project involving the interaction of users and technology is going to be challenging as there will always be several variations in how users respond, follow instruction and perform with technology, all of which will present their issues. But as you deploy MFA through a pilot group, be prepared to monitor the deployment closely and reach out to users to obtain feedback.  All this will help you assess and change anything in the procedures or process to help both the organisation and project to be a success.

Read this page for more background on Identity and Access Solutions.

Reach out to Accelerate Technologies to discuss which technology is right for your business and how an effective MFA rollout and be achieved.


Subscribe to Cyber Security & Resilience Insights