This month we continue our discussions around Cybersecurity Awareness and implementing layers of defense by taking a deeper look at each of the four topics mentioned last time (MFA, InfoSec Training, InfoSec Policies, and IR/DR). Multi-factor authentication (MFA) at one time was said to be 99.9% effective in stopping cyber-attacks.

As with all things cyber, new ways to compromise MFA have been devised by malicious actors. Regardless, MFA is still highly valuable as part of a defense-in-depth strategy. Passwords are often reused amongst many different user accounts, including personal accounts.

Tips for implementing MFA:

• Like any behavioral change, “Campaign and Train” your end users about MFA and the implementation to come
• Have a plan
• Start with Admin accounts
• Consider “conditional access”
• Measure and monitor

One final item to investigate in this area is passwords that have been compromised. HaveIBeenPwned is a great, free resource to be made aware of these password compromises.