The Press and Journal (Aberdeen and Aberdeenshire)
Is MFA still the best option?
Stolen credentials through phishing attacks were the most common cause of cyber breaches among UK businesses last year, a new study has revealed.
Cybersecurity firm IDEE commissioned an independent survey of more than 500 IT and cybersecurity professionals around Britain.
It found more than threefifths (61%) of businesses experienced a cyber breach in 2023, with 25% suffering three or more.
When asked to name the cause or causes of their most recent breach, 35% said it was the result of stolen credentials – passwords, tokens, etc – through phishing attacks, making it the most common reason.
The next most frequently selected factor, with 29%, was “a vulnerability that was not patched by their cybersecurity solution”.
The data raises questions about the efficacy of password-based multifactor authentication (MFA) solutions.
Nearly one-quarter (23%) of those surveyed said that their MFA solution was bypassed or compromised in their latest breach. The same number (23%) suffered a breach due to a backdoor attack – malware that sidesteps authentication procedures to gain access.
IDEE chief executive Al Lakhani said: “The data perfectly encapsulates the fundamental flaw behind so many MFA solutions: they are password reliant.
“The cyber industry’s ‘best’ solutions in recent years have tried to bolster security with additional authentication factors like OTPs (one-time passwords), push notifications, or QR codes.
“But these methods remain tethered to centrally stored passwords and are, therefore, susceptible to phishing attacks.
“Consequently, businesses continue to suffer breaches and account takeovers because they focus on detection rather than actually preventing the breach in the first place.”
Mr Lakhani added: “Businesses’s dependence on password-reliant MFA is a case of herd mentality.
“It’s time to stop following others and embrace solutions rooted in transitive trust and robust identity proofing.
“Hopefully, this research acts as a wake-up call for cyber teams across the country.”
The market research was carried out by Censuswide in November 2023.
A total of 501 IT and cybersecurity professionals throughout the UK took part in the survey.
Meanwhile, more than 160 events recently took place around Scotland to help boost this country’s resilience to cyber attacks.
CyberScotland Week 2024, from February 26 to March 3, offered something for everyone, whether it was to help them be safer in their personal lives, or for their organisation to develop robust cyber defences.