Another year in cyber security has begun. While January is usually when experts share their predictions for the year ahead (here are our predictions for the next 12 months), but you don’t need a crystal ball to work out what cyber security professionals’ main concern is right now.
The Anatomy of Account Takeover
Get practical tips to protect your organisation in our on-demand webinar
With organisations across the world beginning the year either in another lockdown or at least with a large percentage of their workforce at home, the number one priority for cyber security professionals undoubtedly remains how to continue to protect their employees while they work remotely.
Security teams have made tremendous progress in securing their distributed workforce over the past nine months.
Those who had to quickly migrate their IT estate to the cloud, will by now have settled into the “new normal” (a phrase we are all too familiar with!). However, the nature of remote working – which changes the attack surface and can make the traditional perimeter redundant – means that securing users in their homes remains a challenge.
Why account takeover remains a risk for remote workers
One concern that is likely to persevere in the minds of security professionals is how to protect their users from account takeover (ATO) attacks while they work from home. When we surveyed security professionals during the height of lockdown 1 last year, 37% ranked this as one of their greatest security concerns.
This concern is justified. The potential impact of an account takeover attack – where an employee’s credentials are compromised and their account hijacked – is enormous. Once an attacker has the privileges of an employee, they have access to a vast amount of sensitive information and are in a position to exploit other employees, customers, and partners by masquerading as a legitimate user.
The risk is exacerbated by remote working because employees are isolated from each other, which means it could take far longer for a compromised account or suspicious user behaviour to be spotted.
Just as cybercriminals have notably been exploiting employee isolation to launch targeted phishing attacks, remote working creates favourable conditions for a cyber attacker looking to extort data or money by posing as an employee.
These are our top three tips for protecting against account takeover attacks while employees are working remotely:
1. Mitigate dangerous employee behaviour
Poor security practice among employees is a direct contributing factor towards ATO attacks because the attack only works if cybercriminals are able to get their corporate passwords in the first place.
These are usually obtained through phishing attacks that trick employees into entering their credentials in fake login pages, or by finding employee credentials online following a data breach that have been reused across other services.
Unfortunately, such behaviour is prevalent. According to our survey, a third of security professionals have found employees using work credentials for personal accounts such as e-commerce sites, social media, gaming, etc.
More shockingly, 23% reported that employees had voluntarily shared their cloud service logins with other people. These behaviours put the employee and the organisation at risk, which is a fact that is not lost on security professionals. Almost 90% stated that most threats could be prevented if employees followed best practice.
Educating staff about password best practice and how to spot phishing attacks remains important but, in this environment, organisations have to go further.
Advanced email, web and cloud application security can be used to block phishing attempts that aim to steal login details, closing one potential door to employee credentials. Organisations also have to accept what we have long known in the security industry – that passwords alone are no longer fit for purpose as an authentication method – especially as diverse working locations become the norm and with so many credentials out ‘in the wild’.
2. Use Multi-factor Authentication as default – especially for high-value targets
Using Multi-Factor Authentication (MFA) by default will immediately mitigate the impact of credential capture and vastly reduce the risk of ATO attacks by adding an additional layer of security on top of the traditional password.
As a priority, organisations should roll out MFA among high-ranking staff or administrators with elevated privileges.
These accounts, along with those of the finance team and executives, are the most sought after by cybercriminals as they provide the best launchpad for resetting and granting additional access to other cloud applications and initiating secondary attacks on suppliers, customers or colleagues.
Organisations should not fall into the trap of thinking that these high-target individuals are any more responsible with their passwords than the average employee is. In our survey, even 22% of cyber security professionals confessed to using work credentials for personal accounts, and they should know better.
3. Adopt context as the new perimeter
While MFA adoption has been on the rise for some time, the step towards cloud environments is pushing more advanced contextual authentication to the forefront.
In fact, with employees working from home, a combination of identity and context has now effectively become the new perimeter for many organisations, as the traditional enterprise firewall becomes less relevant.
Because of the more fluid nature of the perimeter, user and entity behaviour analytics become increasingly important to identify patterns outside of normal and spot potentially harmful activity.
Context-aware or adaptive MFA allows organisations to interrogate the context of the login to challenge users based on unusual behaviour and reduce user friction. If the login is requested from a strange location, time, day or device the authentication solution will pick this up and ensure further verification before allowing access.
Many organisations are implementing context-aware or adaptive MFA wherever possible, to ensure there is no weak link in the defences that would allow a hacker into the environment.
Request a demo with us today to find out how additional context can help you prevent ATO attacks and create a new perimeter for your organisation, even with your employees working from home.
Download our report – Empowering the People – to find out more about how you can prevent account takeover and the other critical security challenges facing cyber security teams during these challenging times.