MFA Could Have Saved This Business Hundreds Of Thousands Of Dollars…
This business opted not to invest in a few dollars per user on a multi-factor authentication solution, and a few months later, it cost them hundreds of thousands of dollars. Are you making the same mistake?
Do you know the value of a simple security solution like multi-factor authentication (MFA)?
It can be easy to underestimate its importance if you’ve never had your organization’s security breached. After all, hindsight is 20/20.
Case in point: a client of ours ignored our recommendation to implement an MFA solution, and it ended costing them six figures. Are you sure you don’t need an MFA solution?
Without MFA, This Business Was Vulnerable To Phishing Scams
We recommend a range of important cybersecurity solutions and best practices to all our clients. Based on our experience in the field, and the expertise we built in managing cybersecurity, we’ve developed a strategic approach to mitigating common cybercrime threats, including phishing.
However, at the end of the day, it’s up to our clients to actually adopt these solutions and follow these best practices. In this case, the client didn’t want to spend $5 per user per month for the MFA solution. Saving money in their cybersecurity budget ended up costing them a lot more down the line.
How Does MFA Work?
When you log in to an account that has MFA enabled, in addition to entering your password, you must either enter in an added generated code, or authorize login with a “push” request to a secondary device.
In the event your password is compromised, your account can remain secure as the cybercriminal is unable to authenticate the secondary requirement.
There is a range of options for generating the MFA codes:
- Receiving a text message
- Using a dedicated authenticator application
- Possessing a physical device on which you must push a button to verify that you are the authorized user of that account
In total, our MFA solution would have cost this business around $100/month for their entire staff. Looking back, this client now knows it would have been a small price to pay compared to the money they would eventually lose.
How Did This Business Lose So Much Money?
Without our MFA solution in place, this business had no secondary protection on their account logins. All a cybercriminal would need is the username and password for a staff member’s account, and they would have access.
In this case, a new employee was targeted in a phishing attack and gave up their login credentials. Phishing is a method in which cybercriminals send fraudulent emails that appear to be from reputable sources in order to get recipients to reveal sensitive information.
After all, it’s very easy for cybercriminals to gather information about specific users, either on the company website or on social media, and use it to send a convincing email to phishing targets. In this Anatomy of an Attack video by Cisco, you can see how simple it is for cybercriminals to trick unsuspecting targets.
While an observant and well-trained user can sometimes spot a phishing email, it’s not always easy to do so. That’s why MFA is so important — it’s a final line of defense to keep the wrong person from accessing private business accounts.
The cybercriminals in this incident used the compromised credentials to access the business’ finances, and then executed a wire transfer, sending themselves hundreds of thousands of dollars. If the business had implemented an MFA solution like we had urged them to, the cybercriminals never would have been able to access the account or steal the money.
Where Is This Business Now?
In light of how much they lost in this attack, this business has now implemented our MFA solution for their entire staff. We are also managing ongoing cybersecurity training for their staff, showing them how to spot phishing emails, and better protect their credentials in the future.
Cybersecurity awareness training is a highly effective way to defend your organization from phishing, ransomware, and other scams. This method recognizes how important the user is in your cybersecurity efforts. A comprehensive cybersecurity training curriculum will train users to ask important questions about each and every email they receive:
- Do I know the sender of this email?
- Does it make sense that it was sent to me?
- Can I verify that the attached link or PDF is safe?
- Does the email threaten to close my accounts or cancel my cards if I don’t provide information?
- Is this email really from someone I trust or does it just look like someone I trust? What can I do to verify?
- Does anything seem “off” about this email, its contents, or the sender?
The right training services will offer exercises, interactive programs, and even simulated phishing attacks to test your staff on a number of key areas:
- How to identify and address suspicious emails, phishing attempts, social engineering tactics, and more.
- How to use business technology without exposing data and other assets to external threats by accident.
- How to respond when you suspect that an attack is occurring or has occurred.
Is Your Organization Protected By MFA?
If you’ve hesitated to enable MFA for your accounts because it seems too complicated or too expensive, keep this example in mind. This business chose to save $100/month on an MFA solution, and in the end, they paid dearly for it.
As they say, “An ounce of prevention is worth a pound of cure”. The lesson is that it’s better to invest in your cybersecurity now, rather than pay 1000x as much down the line.
If you’re unsure about how to implement an MFA solution, don’t try to handle it all on your own. Palindrome Consulting will help you evaluate your password practices and security measures as a whole to make sure you’re not taking on any unnecessary risks.