Staying ahead of cyberthreats is a constant challenge for most organisations, and it’s why government agencies continuously update their guidelines and requirements.
The Australian Signals Directorate (ASD) recently updated the Essential Eight—which represent “the eight most effective” mitigation strategies for organisations to defend against the most frequent and highest-impact cyberattacks—with important new guidelines on multi-factor (MFA) to help in the ongoing battle against threat actors.
While many government organisations are required to align to the Essential Eight, the updates shouldn’t be viewed as a government-only tick-the-box compliance exercise. Instead, the updates represent an opportunity for all organisations to strengthen their cybersecurity framework through the adoption of these guidelines.
One of the key changes to the Essential Eight is the new requirement for organisations to introduce the use of phishing-resistant MFA, such as FIDO2 devices. This is a pivotal change and represents a significant elevation in organisations’ defence mechanisms against the most prevalent cybersecurity threat: phishing attacks, which were the most frequent cause of a breach and the second most harmful to an organisation’s bottom line: the IBM Security Cost of a Data Breach Report 2023 found that breaches which resulted from phishing cost an average of USD 4.76 million.
With the frequency and impact of phishing attacks, RSA strongly supports the Australian Cyber Security Centre (ACSC) and the ASD for making this a requirement for any MFA implementation to achieve a ‘Maturity Level 2’ posture and with the end goal of reducing risk to organisations.
FIDO2 is a technology designed to revolutionize online authentication. It’s a two-part system that makes logging in to websites both more secure and more convenient. With FIDO2, you can use biometrics (like your fingerprint), a security key, or your phone to log in, instead of relying on traditional passwords. This method is much safer, as it’s much harder for attackers to hack or phish users’ credentials utilising FIDO2.
FIDO2 consists of a special protocol that lets hardware devices communicate securely with online services, and a web API that integrates this technology directly into web browsers such as Chrome or Safari, making the whole process user-friendly. It’s a smarter way to protect online identities and data.
FIDO2 also enables organisations to phase out passwords across their infrastructure. ‘Going passwordless’ has long been a rallying cry for most organisations. However, despite the obvious security and usability benefits of FIDO2, adoption in Australia has been unfortunately very low. That’s in large part because legacy infrastructure and systems cannot take advantage of the FIDO2 protocols, creating a significant technical and financial barrier to more widespread adoption. These older systems are largely still reliant on older MFA methods, such as One Time Password (OTP).
To get the most out of their previous investments, meet the new Essential Eight guidelines, and enhance their overall cybersecurity posture, organisations should examine technologies that can simultaneously provide FIDO2 and OTP in the same solution, in the most unobtrusive way possible.
The Essential Eight guidelines have excluded biometrics (say a fingerprint on your phone) as a valid authentication method under any of the maturity levels. One should review any requirement to use this type of technology for privileged access and should never use biometrics as the sole means for granting access.
Moreover, voice recognition is another approach to granting access where the user is challenged to use their own voice to gain access to something. Today’s generative AI techniques allow threat actors to clone any voice with a small sample set, and the results are very convincing: the Verizon 2023 Mobile Security Index white paper reports that “seven words can be enough of a sample to create a believable impersonation of an individual’s voice.”
In light of this development, it may be fair to say that voice recognition is, in effect, a dead technology for authentication. The Essential Eight biometric updates underscore why organisations must be cautious of fast-moving developments in the world of generative AI technology and its relationship to identity and security. Remain vigilant!
Embracing these changes requires strategic planning and execution. A first step is ensuring alignment with budgetary and resource allocations. The integration of more sophisticated MFA may demand significant upfront resources but represents a long-term investment in the organisation’s overall digital security. When something is free, you’re always getting what you paid for.
Employee engagement is also critical. The effectiveness of new security measures largely depends on user understanding and ‘buy in’. Providing training and continuously fostering a culture of cybersecurity awareness will facilitate a smooth transition to new authentication methods.
We’ve seen organisations get faster acceptance from employees by involving them in the transition and empowering them with new resources rather than foisting the change upon them. Providing user self-service that allows them to choose from among a variety of equivalent MFA methods can help with this.
Moreover, and equally importantly, it is vital to balance cybersecurity with operational efficiency. The implementation of MFA measures should not hinder user experience or business operations. Striking the right balance between stringent security protocols and user experience can be tricky yet is key to successful adoption. Further, be mindful of the legacy systems—select a provider that can protect the aging resources whilst also being able to protect the cutting edge.
The updated Essential Eight guidelines underscore the importance of risk management. Implementing a robust MFA solution reduces the likelihood of unauthorised access and thus potential data breaches. By extension, these measures greatly reduce the overall risk to digital infrastructure.
That’s why we urge all organisations to approach the revised Essential Eight MFA guidelines as much more than a compliance requirement for only government organisation and affiliates, and instead see them for what they are: a strategic path to fortify any organisation against cyber threats.