Securing the Enterprise

5 ways businesses can improve information security

Adoption of stronger identity authentication, up-to-date awareness training, and a data-driven approach to combating cyberthreats are among the top investments that businesses can make for their cybersecurity programs.

Clouds armed with swords and shields.

There are a number of methods businesses can employ to stay safe.

Illustration: Christopher T. Fong/Protocol

Deploy (or strengthen) multifactor authentication

When it comes to information security ROI, multifactor authentication is hard to beat. Requiring a second form of identity verification, beyond just a username and password, has been shown to prevent the vast majority of credential-based attacks. Not all forms of MFA are created equal, though. Lately, hackers have been using techniques such as phishing to bypass some of the common methods for MFA, such as a one-time passcode sent to SMS and mobile push notifications. So while businesses that don't already have MFA would still benefit from deploying any type of the technology, those that want “unphishable” MFA will want to consider rolling out hardware security keys, which require a user to physically touch the key to complete a login. Where available, number matching — where the user inputs a code displayed in their browser into their phone, rather than the other way around — is another potential step up on MFA security.

Explore passwordless authentication

While it's still a new concept, passwordless authentication holds a lot of promise for businesses, though the approaches to passwordless do vary at this stage. Some just allow users to skip entering their password — for instance, by using biometrics such as fingerprint or facial recognition. Other options eliminate the password completely, such as by relying entirely on a mobile device's authentication capabilities, or by using a combination of biometrics and cryptography that embeds credentials into a device. Meanwhile, a new industry effort to expand the use of passwordless technology is underway, as well: Apple, Google, and Microsoft have committed to supporting "passkey" authentication in their platforms, which aims to allow for logins to third-party apps and services without the need for a password.

Keep awareness training up to date

Since it's the humans themselves who are often the weakest link, many organizations at this point understand the value of security awareness training for staff. But that value can be diminished when the training regimen lags behind current attacker trends. For instance, many training programs have warned users to look for details that are "off" when trying to spot phishing attacks. But today, many phishing attacks are not so obvious; in fact, the phishing messages and sites that users are increasingly directed toward look pretty legitimate. Trying to get employees to spot fake-looking messages may no longer be the best place to focus. What hasn't changed, however, is that phishing requests often come out of the blue and place a major emphasis on the urgency of the situation, which could still serve as clues that something suspicious is afoot.

Empower employees to work securely

Apart from training, there are other things that businesses can do — or in some cases, not do — to help encourage secure behavior by their employees. Scolding employees for the use of unauthorized applications, aka "shadow IT," is increasingly being recognized as something to "not do." Rather than admonishing employees for this risky but often well-intentioned practice, organizations should help employees feel like they can self-report when they're using an unsanctioned application for productivity reasons, according to Arctic Wolf CISO Adam Marrè. Ideally, employees will feel empowered to "do the right thing" when it comes to the applications they use, he said — and that won't happen if workers are afraid of getting in trouble.

Keep risks in perspective

Businesses always have choices about what types of cyberthreats to prioritize. But despite the concerns about threats from malware, the reality is that the vast majority of malicious activity does not include any use of malware, according to CrowdStrike. A recent report from the company's Falcon OverWatch threat hunting unit found that 71% of malicious activity now is totally malware-free — relying, instead, on the use of other tactics such as stolen credentials. To keep risks in the proper perspective, "we do have to raise more awareness about the actual tradecraft that the adversary uses," said CrowdStrike CTO Michael Sentonas. And compared to malware-based attacks, he said, the threat posed by credential-based attacks "needs more attention" than it's getting right now.

More from Securing the Enterprise