Last week, President Biden made a statement that couldn’t have been clearer in its message regarding cybersecurity attack protection to the private sector: “If you have not already done so, I urge our private sector partners to harden your cyber defenses immediately by implementing the best practices we have developed together over the last year [,,,]” Additionally, the White House issued a fact sheet with the top bullet in their list to urge companies to “mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system.”
This latest urge of call to action from the White House builds upon last year’s executive order that focused on the public sector and all companies that work with federal agencies. Additionally, the Office of Management and Budget (OMB) Memo M-22-09 has covered several topics, including implementing phishing-resistant multi-factor authentication (MFA) as part of deploying Zero Trust Architecture, and software supply chain security.
Cybersecurity attack protection and phishing-resistant MFA
So what exactly constitutes as phishing-resistant MFA? There is some confusion as to what is phishing-resistant MFA, and we wanted to clarify.
While there may be many assertions of what is phishing-resistant, not all MFA is created equal. The clear definition, according to the OMB memo (page 7), defines phishing-resistant as two authentication technologies – the Federal Government’s Personal Identity Verification (PIV)/Smart Card and modern FIDO/WebAuthn. Approaches like SMS, mobile push notification, and one-time passwords (OTP) are not included and have shown to be vulnerable to phishing.
If the authentication being used is not PIV/Smart Card or FIDO/WebAuthn, then it is not phishing-resistant. The YubiKey supports both of these authentication standards, as well as being FIPS validated, another requirement in many public sector and government scenarios, as well as those in the private sector who support our critical infrastructure and software supply chain.
If you think that your organization isn’t impacted by the Executive Order, you may want to think again.
While you may have already started planning for needed security measures to comply with that order, Monday’s statement brought a new sense of urgency to all companies – not just the ones working with the government. To help your team move down the security upgrade road, we’ve assembled some resources and tips below to help you get there. Additionally, we’ll be hosting a webinar on April 19 on this topic.
Make your cybersecurity attack protection plan
Previously, we posted about steps you can take to prepare for executive order compliance. Here are a couple steps to take today that will get you started. We also have a resource page available focusing on the executive order itself.
- If you haven’t already, assemble a planning team with your top talent, then task them with a full audit prioritizing access to sensitive data. You will need a full accounting of your data, software and controls – as well as any contractors or third parties who have access to your network. This can be a daunting task, so focus on key systems and access points. Having the right team members involved can quickly identify priority systems and risk so they can be quickly addressed. Once the priority systems have been identified, it is important not to stop. Neglected low priority systems are commonly used by attackers to gain a foothold within an organization. Auditing and scanning for non-compliant systems need to be an ongoing effort. You might be surprised how many companies don’t perform these full security reviews to their detriment.
- Build a sustainable security plan that avoids quick fixes and make it part of your company’s DNA. To ensure that your company is not running from one fire drill to the next, security needs to be a priority at all levels of the organization. Phishing-resistant modern MFA can be implemented quickly in some cases and in others it will take more effort. Having an agreed upon plan that provides a consistent approach to MFA will improve and accelerate deployment plans. Aligning your authentication strategy with phishing-resistant based standards like PIV and FIDO that work with a number of Identity Access Management (IAM) providers, operating systems, and browsers will give you the maximum ability to address the security risk and deploy quickly. If you work with the government, or have plans to do so, a FIPS validated key will be a requirement for government partners.
- Build funding requests into upcoming budget cycles. The hard reality is that improving your security requires resources and approval from management to allocate funds. Security isn’t a one and done purchase but needs to be considered as a standard part of the budget to protect the business. Having a sustainable plan will help get C-suite buy-in as they can have a better understanding of how the plan will protect the company. Having a well thought out security plan can provide tangible benefits that are important to highlight. Besides reducing risk, they can reduce audit cost and technical debt that can inhibit the business. Having the C-suite understand the value of how the program improves the whole company will help in getting your budget approved. Attackers don’t wait for yearly budget cycles to act which could require additional funds. Having support of key C-staff such as the Chief Risk Officer, can help drive unexpected funds requests.
How should I communicate the urgency of cybersecurity attack protection to staff and stakeholders?
When the president speaks, people listen. So it’s no longer up for debate if phishing-resistant MFA is coming to the entire business world, but how long it will take for full adoption and which industries will get there fastest. Today you can take these steps:
- Make staff aware of the president’s statement about the need to prepare for an environment with increased cybersecurity threats. Frame it as good news – “We are getting ahead of this and getting on board with a national trend toward better security, and here are the steps we will take.”
- Be clear about what steps the organization itself will take in the next year – including who’s on the planning team and what their objectives are. Transparency helps prepare those who may be change-resistant get used to the idea that something will change about their routines.
- Be inclusive in your language when talking about the initiative. This is not something only the IT team must worry about. Instead, the entire organization is coming together to respond to the president’s call to action – the “we” pronoun applies here. You can use it as a learning opportunity, asking people to educate themselves or seek training on how to avoid getting phished and workplace security best practices.
The urgency you can read in Biden’s statement underlines what we’re all feeling at the moment – we’re living through times that change fast and can be unpredictable. By aligning your organization to place a priority on cybersecurity attack protection that includes phishing-resistant MFA, you will be better prepared to address the current and future cyber security threats.
To learn more about how to best defend against ransomware attacks, read our post on mitigation and incident response plans. More information on the executive order can also be found here and please join us for this webinar on April 19 to learn more about things your company can implement to help defend against cybersecurity attacks.