Employers can spend a lot of time interviewing candidates to work for their company. Certainly, the candidate needs to have the right skills. They need to be able to work with others on the team and serve customers well. But then there is a question that the interviewer is always asking themselves after an interviewee that shows all the right signs of being a great employee: Do I trust them?
What do I mean by “Do I trust them”? Do I give them access to our building? Do I give them access to our internal confidential information? Do I let them represent our company to our clients? Ultimately, am I willing to take a risk on this person and potentially make my business vulnerable in hopes that they will add value to the organization?
Those are big questions. Those are the gut call moments before deciding to extend an offer of employment. But once you’ve chosen employees you trust, how do you protect their identities? How is trust managed day to day for your employees?
Trust in the IT realm is different.
Your technology doesn’t make “gut calls”. Most systems are traditionally set up with username and password authentication. If the entered username and password are correct, the system believes the individual has verified that they are who they say they are.
All of the resources and access you trust that employee with are at the disposal of the person that put in the username and password. Even if they are not actually the person that the username and password belong to.
This is not a pleasant thought, and many avoid thinking about it. But what if what have you trusted them with that can be exploited…by someone else?
User identities & trust can be exploited.
You may have worked with “John” for 30 years and you know the likelihood that he’ll turn on you is less than 1%. You see an email from him, recognize his name, and your guard is lowered because you trust him.
However, what if by mistake John fell for a phishing scam? What if his password was compromised through keylogging, a brute force attack, or a captured password hash? Now, all the resources of your trusted employee are in the hands of someone you do not trust. The attacker has access to the files and information – which is bad enough. But they also have your employee’s good reputation, which in some cases is more valuable than the data. A successfully entered username and password does not carry the trust of the employee if their account is compromised.
Verify & protect your digital identity with MFA.
I believe we underestimate the value of our digital identity. Because of that, we underestimate the value of verifying and protecting that identity.
Multi-factor authentication (MFA) can be implemented very cheaply and provides a dramatic increase in identity protection. In most cases it is set up for a user to enter their username, password, and a third piece of information. Before they are granted access, they need to approve the login from an app on their phone, or enter a code from a text message sent to them.
To be honest, it is not difficult to get a user’s password if someone wants it. It is much more difficult to get that password and hijack their multi-factor authentication approval.
Having MFA does not eliminate the risk of identity hijacking, but it does greatly reduce it. Yes, it causes a minor inconvenience for employees, but as we weigh this risk, it is worth it. It’s especially worth it for systems that are accessible from anywhere in the world.
Trust your employees, but verify their identities in your systems.
Reach out today if you are not utilizing MFA on your publicly accessible systems. Let us help you protect your digital identity!
