We keep making the point that nothing can guarantee you won’t be hacked. But you can, and must, mitigate your cyber-risk.
We think tools like Multi-Factor Authentication is crucial for protecting your IT systems – and MFA should be on EVERYTHING you use – your email and documents (Office 365), your financials (e.g. Xero), your CRM tools, your marketing software – even if it’s only accessed via a browser. We view it as a duty to your colleagues, clients and suppliers to help protect their data.
But, MFA is NOT enough by itself.
Security needs to be layered. It is much like home security: key lock, deadlock, chain/bolt, alarm and now cameras. Each layer adds an obstacle, but that is all they are. None of them alone will stop someone going in. It hopefully turns them away to find an easier target.
None of us would tell our family, “You are safe as we have a key lock. There is no need for a chain or alarm.” MFA is the same. Like a good deadlock, it has strength, but it is not infallible. If you doubt me, the book “Hacking Multifactor Authentication” by Roger A. Grimes, will step you though 50 ways to get around MFA. That does not mean that MFA should not be used anymore than you would not install a deadlock because people can still kick a door open.
It does mean that you must be very careful when you hear anyone say, “I don’t want to do all those things – can I just do one? What is the one thing that will make me secure?” The reality is that you need a combination of defenses, which keeps growing and unfortunately gets more expensive as each weapon needs a license and needs to be maintained.
