2025 Cybersecurity Guidebook Chapter 6: The Importance of MFA

Our partner and Chief Information Officer, Sarah Ellis, sat down to discuss why MFA is important. The conversation has been lightly edited. You can read a summary below or watch the video here: https://youtu.be/wjPRV3O4_sI

Trey: We are so close to finishing our cybersecurity guidebook for 2025. This week we are talking about multi-factor authentication, what it is, and its importance. Sarah, can you share more about MFA and everything that has to do with that?
Sarah: Well, First off, I think it's fair to acknowledge what a pain in the **** MFA can be. This is one of the most frequent complaints I get from clients who've never used it before or are having it deployed to more and more of their products and I hear that. I think the transition to MFA has been a bit painful for a lot of people who are used to just immediately having access to their things. I think it reflects how much easier it's gotten for hackers and bad actors to get to our things as well. The discomfort of having to approve a login attempt or enter a code is far, far less than the discomfort of being compromised.

I want to talk about how multifactor works. When we think of multifactor. We think of “OK. Well, I tried to log in and I got emailed a code that I then have to enter in.” It can work that way but it can also work with an app on your phone, something like Authenticator or Duo or a handheld FOB, but the point is you have something you know which is your password, and something you have which would be your physical device, an app, your e-mail address, your phone number, something like that. Typically the most secure two-factor systems are going to be something like Duo, which is what we use because the something you have is your physical phone. So for example, if someone were to steal your SIM information, they wouldn't be able to impersonate you because they cannot steal the information.

Microsoft released a report back in 2019 that determined that 99.9% of ransomware attacks would have been prevented that year with multi-factor. It makes total sense, right? Your password information is everywhere, you may as well just admit to yourself that it's out there somewhere it doesn't matter how complex it is. Companies everywhere are getting breached left and right. A good way to check which ones you know have at least admitted to it is by going to ihavebeenpwned.com which will list all the companies that have self-reported. People will even purchase your information and create bots that will go around to enter it into all these different websites, accounts, and anything that might be associated with your email. When it hits, they’ve hit the jackpot because they paid $10 for a list of 10,000 passwords. That is almost entirely how these hacks happen. This isn’t a Mission Impossible, you know, targeted approach. If they can’t get in on mult-factor, they’re almost always going to move on.

Trey: One thing that Dustin talks about frequently with MFA is when you park your car in your driveway, and it's 3:00 AM, people are coming down the street, breaking into car doors. They're not going to break into the one who has the floodlight and the dog barking and all that stuff, they're going to break into the car on the side of the road, in the dark, the door's unlocked, that has the laptop in the seat. You know, just make yourself hard enough and MFA is the one thing that does just that.

Sarah: Yep, it's like having a good lock on your bike. I mean, is it possible? Sure, if you really, really wanted to. There are ways around it, but 99.99% of the time this is going to prevent a big attack. Wrapped up, MFA is the most important thing you can do to prevent ransomware and prevent absolute misery, it is even for your own personal e-mail. Your MSP should have a sophisticated system. But take 10 minutes to do it. I promise it is just such a better alternative to being hacked.

Trey: Thanks, Sarah! Clear Guidance Partners would love to be a resource for your firm if you need help figuring out the whole world of MFA. Fill out this form and a member of our team will reach out: