Novia allows Multi-Factor Authentication at Login: Our Reasons Explained
- Author : Novia Financial
- Date : 25 Aug 2021
The scale and sophistication of Cyber Security threats has continued to grow during the pandemic at an unprecedented rate. Law enforcement agencies advise that reported ransomware incidents have tripled over the past year, while in the UK Financial Services sector in the same period an estimated 65-70% of businesses have experienced some form of Cyber Attack.
With the dust not yet settled from the SolarWinds and Hafnium incidents, an increasing number of other businesses are reporting breaches of their defences:
- Fujifilm, Bose, Royal Dutch Shell, VW Audi, and AXA have all reported attacks.
- It appears that LinkedIn has recently been exploited and details from 700 million customer profiles have been harvested from the platform.
- The Colonial Pipeline Cyber Attack made headlines and caused perhaps the most material and tangible impact. The attack closed a fuel distribution network supplying 45% of the U.S. East Coast’s supply of diesel, petrol, and jet fuel. Distribution was shut down for days, prompting Presidential intervention, major fuel shortages, and a spike in fuel prices to their highest level since 2014. Colonial paid a ransom of £3.1m to the responsible hacking group, to recover their systems and resume normal operation.
In the current operating environment, organisations across all sectors are facing an elevated level of threat from Cyber Attack, prompting most to review and strengthen controls to combat unauthorised access to information assets and prevent the introduction of malware to IT systems.
At Novia we’re more committed than ever to improving the protection that covers our services. As part of a new initiative, we have now made Multi-Factor Authentication (MFA) available to improve controls for accessing the sensitive client data held in Adviser Zone.
Historically, access to IT resources has typically been controlled with Single-Factor Authentication (SFA), where a user identifies themselves to the system with a unique username and then authenticates this identity with a single factor – typically a password – that has been set for the account.
This common method of access control is increasingly vulnerable to Cyber Attacks. Such attacks are typically enabled where SFA controlling access for an authorised user within the business is compromised, either by the unintentional disclosure or the theft of these credentials through a Phishing attack, or by more sophisticated forms of capture or forgery.
One of the most powerful ways to combat this threat is to enable MFA to protect access to IT resources. Under MFA, users are still required to identify themselves with a username, but they must also provide multiple factors to authenticate the identity. The factors can be:
- Something the user knows, such as a password or PIN number
- Something the user has, such as a one-time-password, a token, or a physical device
- Something that is inherent to the user, such as a biometric signature like a fingerprint
When operating MFA, even if the username and password are compromised by an unauthorised individual, they cannot gain access unless they also possess the far more secure additional factor.
Initially, rather than making it mandatory, we have provided MFA as an option for improving the protection of your access to the sensitive client data held within Adviser Zone. Given the obvious benefits of MFA in terms of risk mitigation, why don’t we just make it mandatory, turn it on for every service and eradicate the problem? Well, we recognise that there are naturally some pre-requisites for the adoption of MFA in a business, and each Executive may like to consider the likelihood and impact of a successful Cyber Attack on their business, and the cost vs. benefit equation for adding an additional layer of protection to their operating environment.
Reducing Cost and Friction
Stronger controls will inevitably add a degree of both friction and cost to a process, but in the current operating environment the integrity of information security needs to be taken very seriously. Successful businesses in the UK Financial Service sector have had to become adept at ensuring that the additional controls required to enforce regulatory change – or that enhance the appeal of a product service proposition – deliver value. Given the adverse impact that a data breach has on trust between the business and its clients, ensuring that prudent, appropriate, and proportionate information security controls are in put in place, tested, and maintained is an undeniable imperative.
We believe that the most flexible and frictionless MFA experience is provided by an App such as Microsoft Authenticator or Google Authenticator running on a mobile phone, and we have adopted this approach for our first deployment on Adviser Zone. In terms of process overhead, using the current crop of authenticator apps is intuitive and quick. The use of mobile phones in the UK workforce is extremely high and there are flexible options for the provisioning model to suit your culture and business model such as Bring Your Own Device, Corporately Owned/Personally Enabled or combinations of both. As a result of competition and commoditisation in the market, the costs for procurement, operation and management of a mobile phone estate are modest and the logistics of rolling them out are relatively straightforward.
Operational change generates useful feedback to inform implementation, so it’s a good idea to run a proof-of-concept exercise with a small group of staff with some clear criteria for assessing if the practical impacts and outcomes are aligned with appetite in terms of both cost to serve and risk mitigation.
Might there be some cultural resistance to having perceived “corporate” apps on personal devices? It is likely that this issue, like any other in a business, will see a spectrum of responses from colleagues ranging from the enthusiastic, through the ambivalent, to a minority who are initially opposed, based on practical and emotional issues.
Where practical reasons impede adoption of MFA, there are a range of pragmatic solutions that can be deployed by the business to mitigate them, be that the provisioning of compliant handsets or servicing the cost of operation. These legitimate concerns and constraints can typically be addressed by a straightforward, mutually agreeable solution, at modest cost.
The more challenging issue to address is where the resistance is largely emotional. The first course of action here must be to ensure at the outset that colleagues are well supported and provided with accurate information and that a defined period is set aside for them to engage rationally with the facts of the matter.
To assist in this consideration there are perhaps two key points to emphasise:
- The threat of Cyber Attack is not exclusively a corporate issue. As individuals we increasingly use personal computing devices to consume a wide range of personal services that are delivered to us through website applications and mobile apps. However, the reality is that most individuals do not have the Information Security awareness or the technical skills to protect their use of personal equipment, nor do they benefit from the support of a dedicated IT department to manage, monitor, and secure it on their behalf. As such individuals are often more vulnerable to Cyber Attack than the businesses they work for. Given that people tend to use similar passwords for both personal and corporate accounts, we know that when threat actors capture credentials and intelligence about individuals, they will attempt to exploit an individual’s personal and corporate accounts. The tools that Novia have adopted to protect Adviser Zone are equally adept at protecting an individual when using their personal accounts on Amazon, Facebook, Twitter, their email provider etc. Given the risks of a personal exploit impacting the same individual’s use of corporate IT, and vice versa, colleagues should be made aware of the threats and risks that are present and encouraged to adopt appropriate segregation of passwords and to use MFA to strengthen access controls for both their personal and corporate use of equipment and services.
- Both as a business – and as employees working within that business – we all make a commitment to protecting the client when they retain our professional services, and when we accept employment within the business. The most material threat to the security of client information in our custody is often not the external hacker; it’s a weakness in the awareness, behaviour, or activity of colleagues within the business that is frequently the root cause of a Cyber Attack. As such there must be an expectation that we will all take reasonable steps to defend clients against the threat of unauthorised access to IT systems, and the sensitive information held within them. Assuming that a business is not making unreasonable demands of employees e.g. by way of offloading corporate costs to the employee or by mandating policy or action that compromises individual or employee rights, then it is reasonable to expect employees to support the introduction of controls that protect the client, the Business and the Employee.
Given the escalating incidence, threat and impact of successful Cyber Attacks, our view is that Multi-Factor Authentication is a powerful tool that will help to better defend your business.
We believe that the benefits of deployment increasingly outweigh the challenges and that it will help us honour commitments to protect clients, while also helping us to effectively fulfil our statutory and regulatory obligations.
One thought to leave you with: Based on reported information from credible sources, our understanding is that the Colonial Pipeline attackers gained access to that infrastructure by compromising the SFA protecting a remote Virtual Private Network connection, into their infrastructure.
- Our understanding is that MFA was not enabled for that network connection.
- Had MFA been enabled, it is unlikely that unauthorised access could have been gained through that connection.
Threat Actors are extremely capable, determined, and relentless, and it is entirely possible that another weakness in access controls could have been discovered, exploited, and the same outcomes might well have occurred.
But it is equally possible that enabling MFA could have been enough to keep the attackers at bay and avert the adverse impacts that followed.
The SolarWinds and Hafnium incidents and the attacks that followed all serve to illustrate the point that even in the most mature, well-defended and well-maintained environments, unknown vulnerabilities are present that can be exploited by external attackers with malicious intent.
By improving staff training and awareness of the threat, and layering information security defences, defence can be built in depth around the business that can mitigate (but not totally eliminate) the risk of a successful Cyber Attack through the failure of a single control or layer of defence.
Where it is available, enabling MFA is a powerful ally and a key part of that strategy.
If you have any questions regarding MFA and how to enable it to protect your access to Adviser Zone, then please contact us at email@example.com
Predicting a Train with Scaled Agile Frameworks (SAFe)
The British Train network is reliable at getting everyone to talk about how unreliable it is. Trains are delayed, they have the wrong number of carriages, that seat you booked…Read more >
Wesleyan’s flagship With Profits fund, which recently became available on the Novia platform (the first time With Profits has been available on a platform) has now moved, along with all…Read more >
We live in an era dominated by soundbites and snappy slogans. From the world of advertising “Just do it”, “every little helps”, and “I’m loving it”, are very memorable examples. They’re written by ad agency professionals whose job is to write copy in soundbites that connect emotionally with us in order to influence where we spend our hard earned cash.Read more >
But before you jump, you really need to ask yourself rigorously: ‘What exactly do I want to achieve?’ This will be a new experience to you and probably the biggest financial…Read more >
For our latest enhancement, Implementation Executive Mark Wedge gives the latest User Update for Novia’s Guaranteed Income solution…