Quickbytes: When to use 2FA

How-To

Two-Factor Authentication is now important for SMB's to use.

SMB's are Becoming Targets

As larger corporations improve their cybersecurity and become harder to attack, smaller companies become the new targets for cyber criminals. These adversaries use the connections and networks at these smaller companies to attack other targets. This means that SMB's are coming under more sophisticated and a higher volume of cyber attacks.

Using 2FA (Two-Factor Authentication) can be a big help in thwarting the bad guys. But, like all security measures, it adds a degree of inconvenience, and can be complex to implement.

What's the right mix of using 2FA where it counts?

There are two areas that yield big with 2FA: email accounts and system administration accounts.

Email Accounts are Top Priority

The bad guys want to eavesdrop on and control email accounts. This is their number one initial target[1]. With a valid email account at a small reputable company or vendor, not only can they send very convincing and effective phishing emails to clients and other companies, they can also learn more about all the companies and people mentioned in email history, reset other account passwords, create accounts on other systems while impersonating you or your staff, and gain further access to company network resources and services.

Protecting your company email accounts is the number one priority. If the email service you are currently using doesn't support 2FA when logging into accounts, then change email services. It is that important.

Turn on 2FA for all company email accounts. Require employees to use 2FA when logging to the systems that provide email. This means that if you are using G-Suite or Microsoft 365, you turn on 2FA for all company accounts to those systems (since they contain email services).

Most email systems will 'remember' a successful 2FA verification on a particular device so when employees are using their same computers or devices, they won't have to go through the 2FA verification every time they log in. This makes 2FA tolerable.

Of course, there is a training side that goes with everything. For 2FA, the training is simple: NEVER give your 2FA code to anyone over the phone or in person, ever. IT should never ask for it. No one should ever be trying to log in as you but you.[2] Current social engineering techniques and scams will try to get you to give them 2FA codes and confirmation codes sent to your phone or email under various pretenses. Don't fall for it.

Administration, Billing, and Control Accounts

Next, add 2FA to all admin-level accounts on any company servers, systems, and third-party vendor and service accounts. Examples would include: all cloud services admin and billing accounts, account passwords for project management systems, and master accounts for communications systems like Slack and GotoWebinar.

In short, add 2FA to any system account that (a) controls the addition, modification, or deletion of other accounts, (b) has billing information and services controls that charge company credit cards or bank accounts, or (c) has direct chat or messaging to vendors or clients.

These accounts are especially useful to attackers and adversaries, and access to these can lead to full compromise of your organization as well as serve as attack paths into other organizations. It is very important to secure these high-level, high-privilege accounts, and adding 2FA goes a long way in doing that.

Pro-Tips that go along with this include:

  • Never use admin accounts for daily, non-admin work. Create standard accounts for any work that doesn't require administration-level permissions.
  • Delete accounts for services, servers, and vendors that you no longer use.
  • Keep a list of administration accounts so maintenance and management becomes faster, easier, and more accurate.

Category: Excellent Improvement/Cost Ratio

Activating 2FA in just these two areas drastically reduces the attack surface for the bad guys. The improved security gained is very much worth the extra time and effort involved. This is one of the biggest and least expensive improvements in cybersecurity you can make for your organization and yourself.

It can be hard to feel a win when you won't see all the cyber attacks on your company that were foiled because of this change. Would you have been hacked via employee email account takeover next week? Next month? Next year? If you make these changes, you'll never know, because the attacks that could have succeeded, now won't.

Bake it into the Organization

Make this permanent by including it in your company policies and practices. You want to make sure your company policies and training include the following key points. Add them now if needed!

  • 2FA is required on all email accounts for all employees. (Password policy, Network Security policy, Employee policy)
  • 2FA is required on all master accounts, billing accounts, and administration-level accounts for in-house servers and services as well as 3rd-party and vendor accounts. (Network Security policy)
  • All (email, vendor, system, server, etc.) accounts for any contractor or employee no longer working for the organization are immediately deactivated, suspended (no login possible), or deleted. (Employee policy, Network Security policy)

This will ensure ongoing password security practices going forward.

BONUS: if your organization ever needs to meet regulations such as PCI-DSS, HIPAA, NIST 800-171, SOC-2, or CMMC (among others), these practices and policies will be directly applicable and needed. So good job getting ahead of it!

Conclusion

Adding 2FA in the right places will add significantly to your organization's security without causing too much inconvenience for staff. This simple change makes a large positive impact on your security posture, and is included in most of the regulation frameworks. It is highly recommended and very worthwhile.

Footnotes:
[1] Data from 2020 and 2021 trending cyber attack reports on SMBs. Ref. 2019 Verizon Data Breach Report and Accenture 2019 Cost of Cybercrime Study.
[2] If, perchance, you do have a legacy system that can't support administration of user accounts by an admin or super user, then it is time to update that system or migrate off of it. There are probably costs involved in that change that have prevented you from doing that up until now. Simply compare those costs to the cost of a single successful cyber attack and/or breach -- which is now averaging over $2 million for SMB's in 2020 -- and it'll be much easier to justify the move. It's all about risk management, and the risk exposure from legacy systems that don't allow good administration, 2FA, etc. has recently increased to levels of concern.