Lack of multifactor authentication worries Aussie CSOs more than COVID-19 malware

Surveys confirm that remote work has turned Australia’s corporate security priorities on their heads.

A conceptual representation of accessing username and password credentials.
Weedezign / Getty Images

An inability to implement multifactor authentication (MFA) has been the biggest threat to the security of Australian companies during the COVID-19 pandemic, according to a new survey that found inadequate identity management has perpetuated gaps in cybersecurity protections for companies with increasing numbers of remote workers.

Fully 46 per cent of companies with 251 to 500 employees said inability to adopt MFA had proven to be their biggest challenge during the pandemic, with half of financial services firms and 29 per cent of all companies reporting such problems in VMware Carbon Black’s recent Australia Threat Report.

Some 96 per cent of the 250 surveyed Australian CIOs, CTOs and CSOs said their organisations had suffered from a data breach after a cyber attack in the past 12 months—up from 90 per cent in 2019 and 81 per cent in February 2018—reflecting a growing intensity of cybersecurity attack that has reached fever pitch during the COVID-19 pandemic.

Australian respondents cited the most common causes of breaches as operating system vulnerabilities and third-party application breaches (cited by 18 per cent of respondents each), with 13 per cent of breaches due to successful web application attacks.

Surges in the number of remote workers had accentuated the effect of deficiencies in organisational disaster-recovery planning, with 84 per cent of respondents saying they had discovered gaps around communications with external parties and 48 per cent saying those gaps were significant.

Fully 85 per cent of companies said they had encountered problems enabling a remote workforce, with 78 per cent unable to communicate with employees as well as they would have liked.

Given the widespread reliance on well-studied collaboration tools, “adversaries are adopting more advanced tactics as the commoditization of malware is making more sophisticated attack techniques available to a bigger cohort of cybercriminals,” noted VMware Carbon Black cybersecurity strategist Rick McElroy. “Those who had delayed implementing multi-factor authentication face challenges. … As we adjust to a new normal of increased remote working and its associated threats, IT teams will face the challenge of extending security protection into employees’ homes.”

Identity at the fore of addressing remote-work security

The cited challenges around implementation of MFA have been exacerbated by home workers who are now functioning as external parties to the organisation but may still be gaining the same access to sensitive company systems with a single password.

Poor password hygiene and chronically high levels of password reuse have exacerbated the risks of exposure from inadequate identity management. One recent survey found that two thirds of Australians “always or mostly use the same password” and 41 per cent don’t think their data is valuable enough to be worth a hacker’s time.

This behaviour had made better authentication crucial for businesses that find themselves managing large numbers of exposed employees in the field.

A recent IDC/LogMeIn LastPass study, for one, blamed chronically poor internal allocation of security tasks as business leaders overlooked security specialists while seeking ways to bolster trust with internal and external stakeholders.

COVID-19 should be the impetus to get serious about MFA and zero-trust approaches

This had left adoption of MFA as a marginal strategy despite the transformations of COVID-19, with just 23 per cent of APAC organisations planning to deploy MFA to all users accessing sensitive data—despite no less than Prime Minister Scott Morrison entreating all Australian companies and government agencies to implement MFA as he warned of sustained and damaging cyber attacks on Australian interests.

“At present, security investments are focused on alleviating customer concerns regarding data privacy,” said LogMeIn Asia-Pacific and Japan vice president Lindsay Brown, “which grossly overlooks the security and monitoring of user semantics—the individuals who will be accessing the data. … Speaking the right language and setting common objectives are crucial—security leaders need to fully communicate the enterprise risk identity management addresses by extension.”

Yet with problems around MFA cited as more of a concern by VMware Carbon Black survey respondents than even COVID-19 related malware, the figures suggest that identity management related issues should be escalated as a matter of priority.

CSOs may want to seize upon the disruption of COVID-19 to push the case for more effective MFA strategies, which will hasten the move towards zero-trust models of access control that are better suited for managing remote access to company resources.

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)