MFA is not enough to mitigate identity theft and misuse

The misuse of employee credentials is a major risk for all Australian businesses in the fight against cybercrime.

While high-profile businesses such as Optus and Medibank have been targeted recently, attacks are being recorded every seven minutes according to the Australian Cyber Security Centre (ACSC). The Office of the Australian Information Commissioner received 185 calls relating to data breaches where PII was compromised. The cost of breaches is significant, with the Australian Institute of Criminology putting the cost in the billions of dollars according to a recent report.

Hackers don’t hack — they log in

The Verizon Data Breach Investigations Report and Ponemon Institute Cost of a Data Breach Report tell us almost every successful cyber attack starts by compromising access to an endpoint on a network. And the easiest way to access an endpoint on a network is by compromising a login credential. Despite the perception, in many cases, hackers don’t hack their way into business systems; they simply log in.

It can be very difficult to completely stop a highly skilled, motivated and resourced attacker. But robust identity management can make it much harder to initiate an incursion and to move between various business systems — from a low-value target to the store of your customer or personnel data, or some other sensitive repository of sensitive information.

Australian businesses can start by shifting their reliance away from traditional username and password authentication. The Essential Eight advocates the use of multi-factor authentication (MFA). With MFA, users must provide a second piece of information to log in or access sensitive information, such as a code generated by an app the likes of Microsoft or Google Authenticator. Biometrics linked to properly verified identities give businesses a powerful defence against attackers seeking to break into systems.

Biometrics not only offers stronger security than MFA, it overcomes MFA fatigue with the poor user experience that is often friction filled for staff. This was the root cause of the breach into Uber’s systems in 2022. And biometrics are easier to use, enhancing organisational-wide adoption and strengthening protection. While it is possible to steal user credentials — HaveIBeenPwned has records for almost eight billion stolen user accounts — biometrics deters threat actors as it makes penetrating defences much harder and more complex.

A robust identity management platform, backed by strong authentication, should also be employed to ensure access to systems is tightly controlled and that the ability to access one system through another is controlled. Many attackers move laterally between systems to find the data they deem valuable. By using biometrics to challenge these movements, it’s possible to thwart attackers as they seek to access valuable data and systems.

Making the move to biometrics

Biometrics enable organisations to have greater assurance that the identity of a person is tightly coupled to how they authenticate access to systems. While it’s easy for a threat actor to use stolen login credentials, it is much harder to overcome a biometric security platform that uses fingerprint scanners, facial recognition or some other unique personal attribute.

In 2023, more Australian businesses will accelerate the rollout of biometric identity technology that integrates with existing technology environments while adhering to industry standards.

Businesses can bolster their cybersecurity posture with biometrics that are built to standards and deployed by experts. These can be easier to use than MFA or other security tools and minimise the risk of credential theft leading to the loss of important data such as PII.

Biometrics offer businesses a highly secure way to control access to systems and data that boosts security and minimises friction for users. Biometrics simplify the user experience and are far harder to break past than usernames and passwords or MFA.

Image credit: iStock.com/ArtemisDiana