The last couple weeks have brought a few discussions on the topic of multifactor authentication or MFA (sometimes also referred to as 2FA or two factor authentication). These discussions have been driven by the SEC’s X (formerly known as Twitter) account being hacked in order to goose the price of Bitcoin. This raised a lot of questions, ranging from whether there is a political bias around the SEC not using MFA (no), to whether the SEC can now be trusted (yes it can), to just simply how the heck could that have happened. Let’s dig into some of the lessons organizations can learn from this.
First of all, from a corporate policy perspective MFA is widespread. 87% of organizations with over 10,000 employees use it, and in organizations with between 26 and 100 employees it drops to 34%. Within technology companies it is 87%, with only 39% of transportation and warehouse companies using it. From these and other statistics one might guess that while MFA is still increasing in usage it is already there as a standard and best practice. Credit and thanks to Resmo for their recent blog and updated statistics on MFA that this came from: 40+ Multi-Factor Authentication (MFA) Statistics to Know in 2024 | Resmo
That brings us to a confession (of sorts). Viakoo is used by security professionals across a large number of verticals, people who would in their normal working life be exposed to security issues almost constantly. Viakoo supports and recommends having MFA turned on. Yet only 2% of Viakoo users have MFA on their accounts. The reason for this is all of our large customers use single sign-on (SSO), where they are authenticated by their organization and can use their company credentials to access the Viakoo service. This is probably the best equivalent to MFA in that it takes the burden away from the individual user and automates the authentication process. The problem with SSO is that it has to be supported by both sides, and not every external service will allow single sign-on.
Perception of what is at stake varies greatly; a corporate employee might think it’s just an X account and no big deal it does not have MFA, while a threat actor views it as a way to illegally gain millions in profit. An employee might view it as an uninterruptable power supply and no big deal it’s never had its firmware patched, but a threat actor views it as a way to gain entry and move laterally within the organization. That’s really the heart of the SEC issue, and part of a bigger issue in the difference between corporate security policy and what individuals or teams might do. An organization may require MFA on all critical corporate systems, but does that always translate to a service like X being considered as a critical system and the entry-level marketing person who manages the X account taking the extra time to set up MFA on it, especially when no one asks them about it?
Much of an organization’s attack surface exists outside of IT, specifically in IoT systems which are managed by the line of business. The motivations within the line of business are many (profits, deliveries, compliance, etc) and often outweigh security considerations. That’s why many IoT devices live within corporate networks still using default passwords, with unpatched firmware, and not using certificates to encrypt traffic. Taking an already over-burdened team and adding more responsibilities that they do not get judged on meeting is a recipe for having corporate security policy not followed.
How should organizations do better in closing the gap between what they say and what they do on security? Here are three key points to consider:
- Make non-IT teams accountable for security, and reward them based on it. This means having training to achieve the goals, having metrics tracked, and fostering cross-functional team discussions on best practices and what is working within the organization.
- Rely on automation wherever possible. With IoT devices in particular, manual methods do not scale for password rotations, firmware patching, or certificate management. Likewise, using an automated asset and application discovery solution eliminates guesswork on what systems are vulnerable and what their security status is.
- Expand security audits outside of IT to all parts of the organization. In first hearing about the SEC issue I thought about Viakoo’s own internal practice of quarterly reviews of external systems used, including if MFA is turned on and all users are provisioned with appropriate access. If it was limited to just IT systems there would be key systems (Salesforce, X, Facebook, etc) that were not reviewed or monitored.
Final word of advice: don’t let what happened to the SEC happen to you. Especially if your organization is IT focused in security audits, start now to bring in other parts of the team to ensure that the whole organization is following best practices. Viakoo is here to help, and has worked with many organizations to ensure that all devices (not just IT) are visible, operational, and secure.