Multi-factor authentication—it’s time to take cybersecurity seriously
Ransomware—malicious software that encrypts your data and demands payment to unlock it—has been around for over thirty years. At best, you’re aware of it. At worst, you or your employer has been a victim of it.
These days, it’s not the lone hacker sitting in a darkened basement distributing malicious code we have to worry about. Ransomware has become a multi-billion-dollar industry, with entire teams of software engineers working together to make astonishing sums of money. Some groups even offer Ransomware as a Service, conducting attacks on behalf of third parties and sharing the profits—and the profits are considerable.
A recent survey of 200 Australian IT executives found that two-thirds of them had suffered a Ransomware attack during 2020. Of those, one third paid the ransom. The average ransom amount was $1.25million. That gives us an estimated $55million in ransom payments—and that’s just among the 200 organisations surveyed. With this year’s exponential increase in ransom amounts, experts agree this figure would be considerably larger in 2021.
The current ransomware attack against remote services provider Kaseya came with a whopping US$70million ransom demand. REvil, the cybercriminal organisation behind the attack, lowered the asking price to US$50million in a show of willingness to negotiate. The attack has impacted between 800 to 1,500 businesses and organisations. Recovery efforts are still ongoing, with Kaseya engineers frantically patching and testing the platform around the clock.
For not-for-profits, the risk goes beyond finances
Organisations that work directly with at-risk people and communities are likely to hold sensitive client data. If hackers gain access to this data, it can have devastating consequences for clients, including exposure to fraud and identity theft. Allowing their data to get into malicious hands, even if just by neglect, can have life-altering negative consequences for them. As organisations that have committed to help and not harm these people, we owe them more than sub-standard cybersecurity.
Further, this data is protected by the Australian Privacy Act and carries strict requirements on handling and storage. The Act places responsibility for protecting this data on the shoulders of those storing it and carries strict penalties for non-compliance. The possibility of being served a large penalty under the Privacy Act only compounds the financial risk involved with Ransomware attacks.
The threat is big; the solution is simple
If all that stands between your organisation’s data and a malicious actor like REvil is a password, it’s just a matter of time. Hackers can work around or crack passwords, no matter how unique or complex they are. Cybercriminals are indiscriminate in who they target—large or small, for-profit or for-purpose—all are fair game in their eyes. And ransom demands are only getting bigger. With many companies opting to pay the ransom to avoid costly recovery efforts or public humiliation, it may only take one attack to put your organisation in a dire position.
And, as hard as it may be to believe, the simple act of implementing multi-factor authentication (MFA) is all it takes to reduce the risk of attack significantly.
MFA adds a second step to the authentication process. As well as a password, anyone trying to gain access to your system will need to provide a second credential before they can log in, such as a code from an authenticator app or a fingerprint or face-print authentication on a smartphone. In this scenario, even if your password is leaked, guessed, or surreptitiously obtained, a malicious actor would need physical access to your smartphone to breach your system. And if your fingerprint or face-print is your authentication method, even physical access to your smartphone would render the attack useless.
Implementing MFA is the single most effective inoculation against ransomware attacks. 99% of accounts hacked in cyberattacks do not have MFA. Adding a second layer to the authentication process would have been enough to prevent these breaches.
An example of what putting off MFA implementation can cost
As a Managed Services Provider (MSP), the Infoxchange Group had a front-row seat to the consequences of delaying MFA implementation. One of our clients, who had put off implementing MFA, suffered a breach one Friday evening at the end of May 2021. We discovered the breach as part of our standard monitoring service, but the breach coincided with a period of lockdown in Victoria, which significantly hampered our attempts to get in contact with the organisation and affected persons.
We had to act immediately to prevent catastrophic loss for our client:
- We blocked the affected accounts, shutting them out of the system.
- We implemented MFA on the rest of the organisation’s (unaffected) accounts.
- We worked over the weekend with Microsoft to confirm MFA was active and functional on the organisation’s account and to get in touch with the organisation to ensure they notified their staff of what took place and why.
- We developed a comprehensive report for the organisation, outlining the steps taken to mitigate the disaster and how to prevent it from happening again.
While we successfully prevented malicious access to our client’s systems and accounts, the exercise was costly to them. To protect our client, we needed to act immediately. Because the attack took place on a weekend, the work attracted after-hours rates. Our client also had to work on the weekend and spent a lot of time and effort creating comms targeting the affected users and the wider organisation, not to mention conducting unexpected training on how to use MFA.
The entire exercise—the effort and the expense—was avoidable.
MFA and not-for-profits—it’s a matter of risk vs benefit
Many not-for-profits, like our client above, have procrastinated with implementing MFA because of the additional costs involved. Some have argued that they can’t afford the additional fees required to adopt MFA. It’s not an argument without merit. The COVID-19 pandemic and decreased giving have hit the not-for-profit sector hard financially, and most organisations have to watch every dollar they spend on IT.
But let’s conduct a back-of-the-envelope risk assessment. The average ransom amount in 2020 was $1.25million. Many ransomware attacks also involve the theft of your data and the threat of public release. The onus of cybersecurity sitting on the data holder, so not-for-profits who put off adopting MFA risk prosecution on top of the ransom demands. When we compare the additional cost of implementing MFA against the potential financial and legal exposure you risk without it, the numbers look a lot more palatable.
MFA is an insurance policy against cyberattack. If a company didn’t hold building and contents insurance or public liability insurance, you would consider them irresponsible and think twice before doing business with them. Similarly, if an organisation opted to forego reasonable protection of your personal or sensitive data, you would reconsider handing it over. While it might cost extra, MFA is a simple yet profoundly effective way of protecting your clients’ data against theft and your organisation’s finances against catastrophic exposure.
How to implement MFA
Many software platforms allow you to plug third-party solutions, such as Google Authenticator, into the login process, but it gets more involved with more complex systems.
Microsoft has licencing options to accommodate and incorporate MFA with the Microsoft Authenticator app. Your MSP is the best place to start if you are running a Microsoft environment.
If the Infoxchange Group is your MSP, all you need to do is wait for the phone call! We are proactively contacting our clients who haven’t implemented MFA yet and walking them through all the steps. Infoxchange Group’s IT clients can soon expect a smooth and hassle-free transition to the world of MFA protection.
It’s time for not-for-profits to get real with cybersecurity, and MFA is a comparatively inexpensive way to prevent the most egregious cyberattacks, including ransomware attacks.
Do a sweep of your user accounts and delete any that are no longer used or required. Work with your MSP to implement MFA and create a rollout plan so all staff are ready.
If you don’t have a MSP, or if you’re not happy with the one you’ve got, give the Infoxchange Group a call. We have a long history of providing industry-leading and cost-effective managed IT services to not-for-profits.