Passwords and passcodes are everywhere, and without them, we cannot access the systems that control our communication channels, financial accounts, and secure information. However, passwords have repeatedly proven to be insufficient on their own to prevent targeted hacking attacks or misuse of our password-protected information. Even if everyone in our company used different passwords for every single application or program we use, changed those passwords frequently, and ensured each password was long and complex, we still risk having a single token solution for hackers to exploit by stealing and compromising sensitive information. For example, a single phishing email could lead to a password being sent into the hands of hackers with a malicious agenda.
Our valued systems and data need more protections than just a strong password that only our individuals knew. That’s why we looked into increasing those security protections by requiring a solution that our individuals physically had on hand. Net Friends emphasized Multifactor Authentication (MFA) as one of the Top 5 Cybersecurity Tips to take in 2019, and we want to make sure that we fully follow our own advice.
We’ve implemented MFA on several platforms, such as O365 and our knowledgebase system. However, we hadn’t pushed hard on this solution until our SOC 2 Type II audit, when we really began to get MFA enable on each discrete system. One reason why this was so effective is because we had a person in our organization who was willing to champion this project. Our MFA champion was Patrick!
Back in 2018, when we were selecting DUO MFA as our preferred tool, Patrick became well-versed in all the MFA lingo, like the differences between HOTP vs. TOTP, bypass codes vs. magiclinks, and physical vs. virtual tokens. Patrick piloted Yubikey USB tokens, biometric tools, and various smartphone apps. He even created mechanisms that would allow tools that didn’t normally support MFA to have an authentication step inserted in them, requiring a MFA token to be generated before you could login in a seamless way.
After our office SOC 2 Gap Analysis report (which came from our SOC 2 Type I audit in March 2019), we knew we needed to put DUO MFA to work, protecting far more systems and data repositories than just O365 and our knowledgebase. We rolled up our sleeves and went to work! In late March, Alex from our NOC team implemented MFA on our suite of Palo Alto firewalls for internal and VPN connections, as well as on our administration portals for our managed network switches.
By July, we had enabled MFA protections on the Remote Monitoring and Management tools we use to support our customers’ devices and our custom file management system NetFil.es. By September, we had implemented MFA on every portal that was involved in our data security and infrastructure systems. Our SOC 2 auditor was impressed and got to see all the systems protected by MFA during our onsite audit inspection, and gave us high marks for ensuring that a compromised password alone would not allow a malicious person to gain access to any system or data in our network. Thanks to the work of Patrick and Alex, we fully passed our Access Control portion of our SOC 2 audit!