The Consequences of not having Multi-Factor Authentication


Story Time: How a Kent business owner nearly lost everything

If you leave your environment without MFA, you are leaving a door wide open for any attackers who may be trying to get into your systems. In one case, we’ve seen a company with only 26 endpoints in their environment, be crippled because of one decision.

A decision-maker at the firm was receiving emails from an attacker. The attacker was leveraging phishing techniques to steal credentials. This was most likely done through a fraudulent website portal, that replicated a genuine website portal. The fraudulent portal was made to steal credentials to be re-used to log in to the user’s account.

After the phishing campaign, the attacker now had the decision-makers credentials and was able to re-use them to log in to their environment, giving a complete outsider visibility over company documents, confidential information, and even their customers.

After receiving reports from their customers, stating that emails asking for payments had been sent around – the decision-maker took the right steps and informed his team and customers that they had been breached. After explaining to customers not to pay any invoices requested by the attacker (posing as the decision-maker), the company then had to file a report to the ICO. The ICO are informed when any breach has occurred, for them to offer guidance and investigate the breach further to ensure data protection laws haven’t been broken.

Usually, the ICO fines businesses up to £500,000 (the major financial consequence for data loss) based on the attack magnitude, and the impact it may have on the company – but in this case, the company was let off with guidance to implement MFA in their environment.

The company has since enrolled with BCS MFA – and is now working away with the extra layer of protection knowing that if this was to happen again, an attacker would have a huge wall in front of them that is almost impossible to break.

Develop Your Staff

Sign up for Complimentary Free IT Training

How could MFA prevent this breach?

When an attacker sends a link to a fraudulent login page, they are designed to steal both username and password in text format. In this case, the decision-maker has entered their credentials and has seen that the password was obfuscated. However – when the decision-maker submits their credentials, they are completely readable by the attacker. At this stage, all an attacker would have to do is use those same credentials to log in for themselves.

MFA, being multi-factor would’ve stopped this attacker in their tracks. Even if the attacker had the username and password, MFA would have requested another authentication method that the attacker wouldn’t have had at the time. For example, a text to a mobile phone with a 6-digit code.

If this had been in place at the time of the attack, the attacker wouldn’t have been able to use the account to log in, saving the business a lot of time, resources, and money that was otherwise thrown away at this breach.

Should MFA be the only layer of security?

When dealing with cybersecurity, each security product or service you have is an extra layer of protection. For example, imagine simply having email and password is a single layer. This can be broken down very easily as we can see from the case study. If you add MFA (such as BCS MFA) or something as in-depth as security monitoring, you are only strengthening your security for your business. Unfortunately, some businesses overlook this and often wait till it’s too late to implement.

What are the benefits of using BCS MFA?

When using BCS MFA, you are not only adding an extra layer of protection to your business, but you’re also giving yourself peace of mind that you are covered if anyone falls victim to a phishing email or brute-force password hack. Here are some of the benefits of using BCS MFA;

  • Adds a Layer of Security to your Business
  • Adding the second authentication step allows for fast, but secure access to any systems or resources.
  • Increased Credibility and Reputation
  • Specific regulatory compliances, such as the PCI DSS require you to have MFA to enhance protection around personal data.
  • Let’s staff (and attackers!) know that you’re serious about protecting your data.
  • Security whilst Remote Working
  • Remote working is slowly becoming the new normal, and with staff connecting from different locations – MFA can be a great way to iron out any malicious logins, preventing data loss or any negative financial consequences.