Why MFA Alone Is Not Enough: The Critical Role of Security Awareness Training
The evolving and sophisticated nature of phishing campaigns has made email-borne cybersecurity threats more effective than ever before at penetrating organizations. Credential phishing was the threat of choice in 2023, accounting for 91% of active published threat reports. This represented a 67% increase in volume compared to 2022, which can be attributed to the increased effectiveness of cyberattacks that abuse stolen credentials, particularly in environments without robust Multi-Factor Authentication (MFA).
One example of this is the cyberattack on Change Healthcare, where stolen credentials were used to gain access to a server that lacked MFA. This absence was attributed to the company’s recent acquisition by UnitedHealth, which was in the process of upgrading its systems. This breach exposed the sensitive health data of millions of Americans, underscoring the critical need for basic cyber hygiene, including robust password management and MFA.
Team Manager Cyber Intelligence at Cofense.
Going beyond MFA and unique passwords
While implementing these fundamental security measures is essential, they are only one part of a comprehensive security strategy. Relying on complex passwords alone is not enough. Passwords should not be reused, as compromising a single password on a single platform can leave an individual vulnerable to threat actors who often attempt to use the same credentials on other accounts.
The recent RockYou2024 incident leaked nearly 10 billion unique passwords on a popular hacking forum, underscoring the critical need for unique passwords. Security experts have long emphasized the need to prevent password reuse and use password managers to improve account security. Some password managers even offer advanced features that can scan leaked password databases and alert users to potential vulnerabilities.
While implementing MFA is important as a layer of defense against threat actors, it is not foolproof and should be viewed as a security practice that is complemented by additional defenses. The rise of MFA bypass kits has demonstrated that these security measures can be circumvented. A recent example of this is the Tycoon 2FA bypass phishing kits. When individuals fall victim to these sophisticated attacks, they inadvertently grant threat actors access to their accounts, effectively bypassing MFA protection.
This underscores the critical role of human vigilance in protecting against these evolving threats. In essence, these phishing kits have returned the phishing arms race to where we were before the advent of MFA, where the primary defense against account compromise lies in the ability of individuals to recognize and avoid phishing attempts.
The need for human vigilance
Threat actors are constantly looking for new ways to breach systems. Attackers are exploiting weak links in organizations and targeting employees with increasingly realistic password spoofing and phishing emails. To effectively combat this growing threat, organizations must take a comprehensive proactive approach that goes beyond technical measures. Investing in security awareness training and education is crucial to empowering staff to become the first line of defense against cyberattacks.
Training employees within a company is one of the most substantial actions an organization can take to defend itself against threat actors, particularly by educating staff about the dangers of phishing emails from seemingly legitimate sources. This includes urgent requests for personal information or suspicious links and attachments.
Basic cyber literacy is becoming increasingly common, but truly instilling a sense of distrust when it comes to online interactions and activities takes time and serious investment from a company. By equipping employees with the knowledge and skills to recognize and report phishing attempts, organizations can significantly reduce the risk of successful attacks. The reality is that a single employee falling victim to a phishing attack can have catastrophic consequences for the entire organization, with the potential for significant data breaches, financial losses, and reputational damage.
Organizations should establish a simple reporting mechanism and provide employees with the necessary tools to quickly eliminate phishing threats. Training employees to recognize malicious messages can significantly reduce the risk of falling victim to these scams and having sensitive data compromised. Providing ongoing training and resources, along with encouraging open communication about potential threats, promotes a positive culture of cybersecurity awareness. Employees should feel comfortable reporting suspicious activity without fear of retaliation, knowing that their vigilance contributes to the security of the organization.
By investing in both technical and human-driven solutions, organizations can create a more resilient defense system that can withstand advanced cyberattacks. This comprehensive approach not only improves immediate security, but also builds a foundation for long-term protection against evolving threats.
We list the best password managers for companies.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we showcase the best and brightest minds in the technology sector today. The views expressed here are those of the author and do not necessarily represent those of TechRadarPro or Future plc. If you’re interested in contributing, you can read more here: