MailGuard Jun 24, 2024 12:34:23 PM 8 MIN READ

Medibank Aftermath – A Reminder Of The Importance of MFA for Businesses

Whack! “The absence of multi-factor authentication led to the Medibank hack, regulator alleges.” No one envies those in charge at Medibank right now, as headlines like this one from the ABC flood media feeds across the nation. Many of us are watching on as the current court proceedings continue, grateful that it’s not us or one of our clients.

The Office of the Australian Information Commissioner (OAIC) criticism of Medibank has been widely publicised, after Medibank suffered a data breach where the personal information of 9.7 million customers was leaked online. And more criticism is still to come. But perhaps for the rest of us, it’s a valuable lesson and opportunity to revisit and double down on some of the cybersecurity basics.

OAIC has highlighted the lack of Multi-Factor Authentication as contributing significantly to the breach. It serves as a stark reminder of the vulnerabilities businesses face without MFA, and one wonders if perhaps part of their motivation in the case isn’t to simply send a message to all other businesses about the basic measures that they should be implementing. In case those other businesses haven’t got the memo, cybersecurity is not optional. No one will forgive a business that does not take the most rudimentary steps, especially where those steps are at no cost to the business. The absence of MFA is unforgivable, and an embarrassment for Medibank.

And Medibank is not alone. In the recent alleged compromise of Snowflake accounts, a threat actor is thought to have used stolen customer credentials to target at least 165 organisations that had not configured multi-factor authentication protection on their accounts. The threat actor used credentials stolen by information-stealing malware in earlier attacks, and was able to access the targeted services due to an absence of MFA. 

The security of sensitive information is more critical than ever. With cyber threats becoming increasingly sophisticated, businesses must adopt robust security measures to protect their data. One of the most effective strategies for enhancing security is implementing Multi-Factor Authentication (MFA).

Let’s explore the benefits of MFA and how it can significantly reduce the risk of unauthorised access.

What is Multi-Factor Authentication (MFA)?

MFA is commonplace across most B2B and B2C services now, so few people wouldn’t know what it is. Most simply, Multi-Factor Authentication (MFA) is a security process that requires users to provide two or more verification factors to gain access to a resource such as an application, online account, or VPN.

Instead of just asking for a password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber-attack.

These factors could include:

  • Something you know: A password or PIN.
  • Something you have: A smart card, mobile device, an authenticator app or security token.
  • Something you are: Biometric verification such as fingerprints or facial recognition.

The Benefits of Multi-Factor Authentication

1. Enhanced Security

By providing an additional layer of security, MFA makes it more difficult for attackers to gain access to sensitive information. This is particularly important given the amount of breached data and credentials that are available online, combined with weak and re-used passwords, and other measures adopted by bad actors like brute force attacks, that means good password security and best practises alone are not enough. With MFA, even if a password is compromised, the attacker would still need the second (or third) factor to successfully breach a system or application.

2. Reduction in Fraud and Identity Theft

By requiring multiple forms of verification, MFA helps to prevent unauthorised access, and that also reduces the risk of fraud and identity theft. This is crucial for all businesses, but especially for those handling highly sensitive personal information like financial institutions, healthcare org’s, government departments, and others.

3. Compliance with Regulations

For the above reasons, many industries have strict regulations regarding data protection. Implementing MFA can help businesses to comply with these regulations, avoiding potential fines and legal issues. Moreover, as we are seeing with Medibank, it can avoid the public humiliation and embarrassment of prolonged media coverage and legal proceedings that can wreak havoc on the reputations of the organisation and key executives.

4. Improved User Trust

A study by IAPP (International Association of Privacy Professionals) , the Privacy and Consumer Trust Report, which surveyed 4,750 individuals across 19 countries, found 68% of ‘consumers globally are either somewhat or very concerned about their privacy online.’ Translated, customers and clients are more likely to trust a business that takes data security seriously. Implementing MFA demonstrates a commitment to protecting user information, enhancing the company’s reputation. Conversely, customers will be rightly furious if their data security is compromised because a company did not take such rudimentary measures as MFA, which in most instances is at no additional cost to the business.

5. Protection Against BEC (Business Email Compromise)

From an email security perspective, MFA can assist in thwarting business email compromise (BEC) attempts, since stealing the second factor (such as a one-time code sent to a phone) is much more challenging than obtaining a password alone.

Business email compromise (BEC) occurs when bad actors obtain access to credentials to infiltrate an email account. Doing so means they can impersonate employees or executives by actioning emails on their behalf, assuming their identity.

In a compromised email account, bad actors will often lay in wait:

  • Searching the inbox for valuable information that allows access to systems and accounts,
  • Reading and replying to sensitive emails relating to business-critical actions, most commonly the payment of invoices, a change to account information, or systems access privileges,
  • Stealing contact information for use in other attacks,
  • Deleting sent emails so that the ‘legitimate user’ remains unaware of the presence of the bad actor, and
  • Sending emails to contacts, impersonating the legitimate user and assuming their online identity.

Implementing MFA in a Business

All businesses should assess their own specific requirements and the types of data that they need to protect. This will help to prioritise actions and in choosing the most suitable approach to MFA for each scenario.

There are various MFA solutions available, including SMS-based verification, mobile authenticator apps, and hardware tokens. The business needs to select a solution that aligns best with its security needs, and that is convenient for users. Although, in the case of highly sensitive data or systems, user convenience will be less important relatively than the safety of the data. Nonetheless, the ease with which users can manage MFA will be an important consideration to ensure ongoing adherence.

It’s important for the business to ensure that employees understand the importance of MFA and how to use it correctly. Provide training and resources to help employees to adapt to any new systems or processes and seek feedback to ensure that those processes are being adopted universally. Non-compliance equals vulnerabilities.

Roll out MFA changes in phases to ensure a smooth transition. Start with high-risk areas and gradually extend it to other parts of the organization. For example, high-risk people and systems are likely to include finance teams, IT admins, and marketing or CRM users.

Continuously monitor the effectiveness of your MFA implementation and update it as necessary to address emerging threats and technological advancements. For the record, it’s a regular practise for us here at MailGuard, to continually satisfy the audit requirements of our ISO/IEC 27001:2022 compliance.

Conclusion: Every Business Should Mandate MFA

At MailGuard, we talk a lot about the principle of multi-layered defence or taking a defence-in-depth approach to cybersecurity. MFA is a perfect example of that in practise. Good password hygiene and best practises alone are not enough. Whenever an organisation relies upon a single layer of protection, those users and systems will be vulnerable, because cybercriminals are incredibly cunning and sophisticated. Plus, factor in the human element, and mistakes happen. A second layer of protection, in this case implementing MFA to protect systems and data over and above good password security, is a vital tool for safeguarding sensitive information.

By requiring multiple forms of verification, businesses can significantly reduce the risk of unauthorised access and protect their data from malicious actors. The Medibank data breach serves as a crucial lesson. By implementing MFA, businesses can enhance their security posture, comply with regulations, and build trust with their customers.

As a reseller or partner, advocating for MFA solutions not only helps your clients to strengthen their security but it also positions you as a trusted expert and business partner that is committed to your clients’ best interests, and to delivering comprehensive cybersecurity solutions and advice.

Keeping Businesses Safe and Secure

Prevention is always better than a cure, and one of the best defences is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.

No one vendor can stop all email threats, so it’s crucial to remind customers that if they are using Microsoft 365 or Google Workspace, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a specialist third-party cloud email solution like MailGuard.   

MailGuard provides a range of solutions to keep businesses safe, from email filtering to email continuity and archiving solutions. Speak to your customers today to ensure they’re prepared and get in touch with our team to discuss fortifying your customer’s cyber resilience.

Talk to us

MailGuard's partner blog is a forum to share information; we want it to be a dialogue. Reach out to us and tell us what your customers need so we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.

Australian partners, please call us on 1300 30 65 10

US partners call 1888 848 2822

UK partners call 0 800 404 8993

We’re on Facebook, Twitter and LinkedIn.

Keep Informed with Weekly Updates