When multi-factor authentication became widely available, many believed it was enough to stop all hacker attacks.
Now, even multi-factor authentication is being targeted by hackers.
“The adversaries don’t care how we feel. They don’t care that we’re annoyed.”
– John O’Brien,
Microsoft Canada
John O’Brien, Security Leader – Customer Success at Microsoft Canada, says there are two issues facing hackers that startups can use to their advantage: first, hackers are lazy, always wanting the easiest route to stealing information, money, or both. And second, the hacking ecosystem has grown so much that hackers have business expenses they need to keep an eye on—if you can make targeting your company too costly, hackers are more likely to leave you alone.
Speaking with BetaKit, O’Brien shared his insights on how startups can put up more of a fight, making it so irritating for hackers to attack them that they move onto greener pastures.
Reverse your security thinking
The first thing people often think of when discussing security is making it harder for people to break in. This is great in theory, but in practice, there are always gaps. Prevention first is the wrong order of operations, at least when considering the threat of ransomware.
O’Brien said that most hackers will try to target what they believe to be the weakest link—individual employees—meaning that simply protecting the system from the outside (even with multi-factor authentication) doesn’t factor into account how hackers really behave.
That being said, multi-factor authentication is one of those prevention efforts the security leader would recommend prioritizing, given its relatively easy implementation and huge benefits. Once that’s done, instead of focusing on building stronger exterior defences, O’Brien recommended the following process:
Step 1: Reduce the likelihood you will have to pay a ransom
This is what O’Brien refers to as “assume breach and plan accordingly.” It’s about ensuring backups, recoveries, and network rebuild plans are solid so should the worst happen, business can continue as usual without needing to pay a ransom for your information back. O’Brien said this is similar to knowing that you can rebuild your house if a fire happens and ensuring that nothing is irreplaceable.
“Always assume something bad will happen,” said O’Brien.
Step 2: Limit the scope of damage
In a business context, O’Brien said this means limiting what people can access once they are in the system. For example, limiting employee access to only necessary systems, so even if a company gets hacked, the hacker would not get full network domain access. This gets more difficult as you get more senior or employees with varying purviews, but you can still mitigate through re-verification protocols or similar activities.
Step 3: Make it harder to get in
This is when the best practices around securing networks are important, such as multi-factor authentication, DDoS attack protection, cloud security, and firewall protection. These whole-system or whole-network protections add a blanket of additional security.
Find the right friction with your multi-factor authentication strategy
From an individual employee perspective, O’Brien said it’s all about adding friction through different security measures. However, a carte blanche approach ignores how humans actually behave.
“If we let people decide, they would remove all friction from their lives because who wants to deal with friction?” asked O’Brien.
Instead of relying on each individual employee to figure things out by themselves, business leaders can build programs to help. Here’s what O’Brien suggested:
Make passwords irrelevant
Password scams are some of the most common hacking techniques. For example, if your company uses biometrics or security keys for two-factor authentication, a hacker with a password can’t automatically get into the system.
Go fast both ways
A lot of startups delay focusing on security with the justification that it slows them down and their need to move quickly. O’Brien responded to this sentiment by saying go as fast as you want—just build recovery, backup, and security systems that can roll back as quickly as you move ahead.
“If you want to move fast, you have to be able to detect and roll back,” said O’Brien.
Automate your updates
Moving to an always-on network patch system will greatly improve security compared to manual patches that employees have to deploy (and will inevitably put off). O’Brien said that the only way to stay fully secure is to stay as close to the bleeding edge as possible, and real-time patches are a critical component of that.
Work with your employees (not against them)
People are often blamed as the breach point for hacks. But instead of trying to make employees subservient to process, O’Brien said leaders need to explain the reasoning behind security protocols so individuals can see how following them is helpful to their work, rather than a hindrance.
“It’s hard enough dealing with adversaries, we don’t want to create adversaries within the organization as well,” he added.
The key thing to remember, said O’Brien, is that unfortunately it’s not about how we feel. Humans may hate the friction of security measures, but it’s simply required.
“The adversaries don’t care how we feel. They don’t care that we’re annoyed.”
Fighting the commercialization of crime
Over the last 10-15 years, cybercrime has evolved rapidly to embrace what O’Brien calls the “commercialization of crime.” Hackers now have a business ecosystem not dissimilar to the (valid, positive) tech ecosystems in the world.
In a way, this evolution is a good thing. O’Brien said adversaries have bills to pay as well now, meaning that your approach to security should be less about completely keeping hackers out, which isn’t really possible, and more about making attacking you so irritating and time-consuming (and therefore costly) that hackers give up and move on.
“Anything we can do to make that cost more for them means they are going to be less interested in coming after your business or yourself as an individual,” O’Brien added.
Photo courtesy Unsplash.
