Most companies in Dallas-Fort Worth and the rest of the country have transitioned their data and workflows online. Any that may have been dragging their feet about the cloud prior to 2020, were given a wakeup call by the pandemic and the need to make work systems available to employees working from home.
The move to cloud services over the last 5-10 years has meant that hackers have also had to change their tactics. While it may be fairly easy for a talented hacker or novice with a “hacking kit” to break into a small company’s on-premises server if it’s not protected, breaking into a cloud server owned by Microsoft or Amazon is completely different.
When it comes to actual forced breaches, the cloud proves more secure than on-premises servers, because tools like Microsoft 365 are hosted on servers in large data centers with round-the-clock security and high-level digital protection
This has led to a significant rise in credential theft, because stealing a login credential gives a hacker a way to get past all that high-level security.
Some statistics from Verizon’s 2020 Data Breach Investigations Report (DBIR) that show how prevalent compromised passwords have become include:
- 77% of all cloud account breaches are due to compromised login credentials.
- Stealing passwords has become the #1 goal of phishing emails.
- Password dumpers (steals passwords) has become the #1 malware used in data breaches.
Why Password Education Isn’t Enough
One of the best ways to protect your accounts from being compromised, even if a hacker has the password, is through two-factor authentication (2FA).
2FA requires a second form of authentication before allowing a user access to an account. In most cases this comes through a code that is sent to a specific device (mobile phone, app, or key). This time-sensitive code must be entered along with the username and password to be granted access.
The three standard ways to receive the 2FA code are:
- SMS to a mobile device
- Mobile app/on device prompt
- Security key device
Some employees aren’t keen on 2FA because they’re afraid it’s going to make their login process more difficult when they’re logging into several different company apps per day.
But statistics show that the few extra seconds are definitely worth it because employees tend to adopt bad password habits, even if they are trained on best practices for secure passwords.
- 39% of people reuse passwords across work and personal accounts
- 51% of employees share their passwords with work colleagues
- 59% of organizations rely on human memory to manage passwords
- 42% of organizations use sticky notes to remember passwords
The Benefits of Using 2FA
One of the best ways to secure any of your online or SaaS accounts is by enabling two-factor authentication. It doesn’t have to be an onerous process for employees either if you use something like a single sign-on solution (SSO). This tool allows one sign on and one 2FA request to log into multiple work apps.
How effective is 2FA? There are two studies that show it’s nearly 100% effective at stopping account takeovers through compromised passwords. One was released by Microsoft and the other by Google.
Microsoft: 2FA is 99.9% Effective
Microsoft sees over 300 million fraudulent sign-in attempts every day on its cloud platforms, so it definitely has a stake in wanting to keep hackers out of user accounts.
It notes that 99.9% of these credential theft attacks can be blocked by enabling 2FA on your accounts.
2FA stops hackers in their tracks because in most cases, they will not have the physical device needed to receive the 2FA code. Thus, even if they have user’s password, it’s not enough to get them into the account.
Additionally, if a hacker triggers the 2FA code, the legitimate user is alerted to a fraudulent sign-in attempt.
Google: 2FA is up to 100% Effective
In the Google study on 2FA, several factors were looked at, including the type of attack that was happening (automated bot, targeted, etc.) and the method of 2FA used to receive the code.
The effectiveness of 2FA ranged from 76% to 100% for device-based challenges. Here is a breakdown of the data:
- Receiving the code via SMS:
- Automated bot attack: 100% effective
- Bulk phishing attack: 96% effective
- Targeted attack: 76% effective
- Receiving the code via on-device prompt
- Automated bot attack: 100% effective
- Bulk phishing attack: 99% effective
- Targeted attack: 90% effective
- Receiving the code via a security key:
- Automated bot attack: 100% effective
- Bulk phishing attack: 100% effective
- Targeted attack: 100% effective
How Secure Are Your Company’s Cloud Accounts?
Leverage IT Group can help your DFW business put cloud account protections in place like 2FA and others to keep you from suffering an insider attack from a hacker.
Contact us today to schedule a free consultation. Call (469) 458-0559 or reach us online.