MFA isn't always keeping businesses safe from cyberattack

News
By Sead Fadilpašić
published

Despite deploying MFA, businesses are still getting hacked

A padlock resting on a keyboard.
(Image credit: Passwork)

If you think multi-factor authentication (MFA) is the be-all and end-all security solution for your business, you might want to think again. New research from IDEE found that despite having MFA deployed, many firms still suffered devastating data breaches.

The company recently surveyed more than 500 IT and cybersecurity professionals working within UK businesses. Of that number, 95% have deployed some form of MFA. Still, less than half (44%) did not suffer a cybersecurity incident in the past year. While 13% suffered just one breach, 17% suffered at least two, and the same percentage has had 3 in the same timeframe. Together with 5% of firms who suffered four breaches, and 3% that had five, that makes up more than half (56%) of all surveyed organizations. 

Consequently, just 46% of cyber professionals described MFA as “highly effective”, while half (50%) said it was only “somewhat effective”. 

SIM-swapping and code relay

Multi-factor authentication is a security model in which a user needs more than just a password to authenticate on a platform. Usually, they would either have a code sent to their phone number via SMS, or would read a code from a security app or a physical token. Of these three models, the SMS model is generally considered the least secure one, as hackers (especially state-sponsored and advanced persistent threats) are able to SIM-swap and have the platform send the codes to their phone numbers, instead. 

Other models can be tricked, too, usually through phishing pages that impersonate the authentic login page and are able to relay the MFA code from the victim device to the targeted platform. 

“The clock is ticking – it’s time for businesses to deploy authentication methods that can mitigate password-based, credential phishing and adversary-in-the-middle cyber threats that leverage ‘credentials’ as the initial access vector,” said Al Lakhani, CEO of IDEE. 

+“This means investing in solutions grounded in strong digital identity proofing and transitive trust, in turn allowing businesses to improve their security and productivity with minimal time and resources. Let’s hope this data shocks a few more organizations into much-needed action.”

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.