Multifactor authentication and end-user education emerged as the most common themes at a CISO forum with analysts held under Chatham House Rules in London.

Chief information security officers across a wide range of industry sectors agree on the importance of multifactor authentication (MFA) to extending desktop-level security controls to an increasingly mobile workforce, with several indicating that MFA is among their key projects for 2020 to protect against credential stuffing attacks.

In highly-targeted industry sectors, CISOs said two-factor authentication (2FA) was mandated at the very least for mobile access to corporate resources, with special focus on privileged account access, especially to key databases.

Asked what IT suppliers could do to make life easier for security leaders, CISOs said providing MFA with everything was top of the list, along with full single sign on (SSO) capability, with some security leaders implementing or considering MFA for customer/consumer access to accounts and services.

The pursuit of improved user experience along with more secure access, appears to have led some security leaders to standardise on Microsoft products and services that enable collaboration, MFA and SSO, reducing the reliance on username/password combinations alone for access control.

Training end users

End user security education and training is another key area of attention for security leaders to increase the likelihood that any gaps in security controls will be bridged by well-informed users.

However, there also a clear understanding that end users cannot be held responsible as a front line of defense, that there needs to be a zero-blame policy to encourage engagement and participation of end users in security, that end users need to be supported by appropriate security controls and effective incident detection and response processes, and that communication is essential to ensure end users understand the cyber threats to them at home and at work as well as the importance of each security control.

Supporting end users

CISOs are helping to protect end users by implementing browser protections and URL filtering to prevent access to malicious sites, and improving email defenses to protect users from spoofing, phishing and spam, and by introducing tools that make it easy to report suspected phishing and conducting regular phishing simulation exercises to keep end users vigilant.

The implementation of the Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol designed to help ensure the authenticity of the sender’s identity is also being used by some CISOs to drive user awareness by highlighting emails from an external source.

Some security leaders believe there should be a special focus on board member and other senior executives in terms of anti-phishing training and awareness because while this group is likely to be most-often targeted by phishing and spear phishing attacks, they are less likely to be attuned to the dangers and the warning signs.

Some CISOs have also provided password managers to help end users choose and maintain strong, unique passwords, reducing the number of passwords that each person is required to remember.

Encouraging trends

It is encouraging that security leaders are focusing on better authentication by moving to MFA and that they understand the need to support end users, not only with security awareness and education, but the necessary security controls, processes and capabilities, including effective email and web filtering, network monitoring, incident detection and response, and patch management.

If you want to deep dive into this topic, be sure to read our Leadership Compass Consumer Authentication. For unlimited access to all our research, buy your KC PLUS susbscription here.

See also