Why Many MFA Programs Fail Strong Authentication Cyber Insurance Criteria - And What to do About It.

Thank you for the kind introduction. I'm really glad to be here. I listened to the previous sessions and those that are online and have a subscription and you missed the morning. This is worthwhile watching and I will reinforce some of it.

So, you know, some of the things converge, but before I dive into this, why a long title? Why many M F A programs Fail Strong Authentication Cyber Insurance Criteria and what to do about it? And actually, I'm speaking for Secure Double Octopus and we have a solution for M F A. We'll come to that later. This is not intended to be a sales pitch, but there is a little bit of a messaging in there. Before we do that, let me share something about myself. I love technology. I really do. I'm in this industry for a long time and I believe that every technology has a peak time.

And so some of you may remember, if I look at, you know, some of the gray hairs here, there was a device called Palm Pilot. So the Palm Pilot, for those that don't know, was almost like a phone. It wasn't a phone, but it was one of the first handwriting recognition devices. And I had one of course because I love technology and it had a stylist and it should recognize your handwriting, but it didn't. It told the user how to write. That's not exactly what I mean with good technology.

Now, today, if we fast forward to today, everyone has a, has a tablet with a stylist or with your finger, you write, the outcome is nearly perfect. It's a technology that you use every day. Now there's other things, you know, I, I also hate when computers ask me to tell the computer whether I'm a human or not. And you know, if, if you think you don't, every one of you has clicked on the box. I'm not a robot.

And if the that is not good enough, you get this stupid picture memory where you have to figure out the pedestrian way the fire had ran and you are on a small screen, you can't really see it. And then you start all over. What an annoying piece of technology now, passwords.

Yeah, you know, I thought everyone hates passwords. Now during the last four days, I come to learn that there's actually people that resist change and love passwords.

Still, we gotta do away with them in almost everywhere. Yeah, but there was a time when the password was great. I still remember the first email. You have an email address, you have a password, two years later you have two email addresses. Great. Now I have two passwords. That was still cool, right? Then fast forward a few years, you have 50 passwords, 80 passwords, north of a hundred passwords. Every one of us has these days. Humans are not good in managing passwords. Give it to the computer to manage the secret that don't do it as a human being. Right?

And of course we've talked and seen slides and I have some of it later on as well. The threat landscape increased over time and as the threat landscape increased, people had a great idea. We gotta make this thing more secure. So people came up with what is called MFA now. Great. On top of your a hundred passwords, now you have an authentic character app or a token or whatever, and you have to copy the number, not misty it, but then it changes and you have to, you, you, you missed the last digit, you'll start all over again. So that's bad technology.

And if we look at the next slide, we did a study, you can download it from our website. We surveyed several hundred enterprise organizations. North of a thousand employees, only 16% of the organizations enforce MFA across the board. Those are the ones that have not just clicked the cyber insurance policy requirements document. All the others don't. You can see the distribution. Now the good thing is in large organizations, there's no organization. We didn't find one that didn't use mfa, at least in one instance, right? But on the other hand, the bad guy only needs one door to go through.

And if you look at that, it's, you know, it's not a big surprise, but on-prem is less protected than the cloud. But yeah, most of the on-prem stuff, the reason it's still on-prem, it hasn't moved to the cloud is because it can't, most of the time the business can get rid of these applications. So don't lie to yourself.

I'm, you know, when I talk to prospects and customers, my first question is, you have a strategy to move to the cloud. And they look at me, what an idiot, of course I do. The next question is, when will you be done? And it becomes a semi-permanent stage. So you have this hybrid environment, you better deal with it if you're gonna get rid of it within the next six months. And you gotta find a solution that doesn't take you five years to implement either, because you may have been hit a few times in between now. So on-prem then you know, max are popular.

And you, again, you don't need to have all max, but if you have some max, you gotta fix them. Linux is also less protected.

And then, you know, I've, I like technology, but not bad technology. So two-thirds of the people don't like mfa. And then I found this more recently in my first trials in chat G P T, most passwords that are used can be cracked within a minute or less.

So yeah, the threat is real and it costs, and we are here in Berlin. So you know, the chairman bond, this has been breached. We have the colonial pipeline, we've had other stories earlier in the morning. Every industry has been breached. And I found a number for the chairman market. So there have been north of 80 known bridges in 2022 in Germany alone of larger organizations.

Now, 80 doesn't sound much, but if you know, you probably know what 10, 20% of the bridge is. So there is a bridge left to you and right to you every day. And it costs money.

You know, not everyone costs 10 million, but that's the average. It's, it's approaching the 10 million benchmark cost for a breach. Almost all of them go back to weeks stolen, missed credentials.

So 82%, that's the Verizon Bridge report from last year. Go back to these credentials.

So if you, and there's a lot of things you need to do for cyber insurance, but if you want to protect yourself for the bad guy to get in easily, applying strong access is a key to success. And so if you have, if you, the fewer holes you have, ideally no holes, the better off you are. And so here is, I've posted this on LinkedIn earlier today, so I know some people are here because of that.

And I, let me show that share with you a little fable, right? And on during the summer, the grasshopper is enjoying life. Life is great. He's having a bite to eat here, a bite tweet there, a sip to drink, playing music, listening to music, enjoying life. The aunt also enjoys life. But there is a certain bandwidth of the day that the aunt dedicates to build a shelter and to collect some food for the times when they're not so great.

And one day the first snow hits, there's a big snowstorm and the aunt sits in his shelter and has it by to eat and wait the storm, while the grasshopper is freaking out, he doesn't know what to do, he's freezing, he doesn't have anything to eat, he doesn't know whether it's gonna survive or not. And so the lesson from this little fable here is you don't know when they bat guys hit you, but you better are prepared. And I've heard this message in the morning as well, you know, you should start now. You should not wait until the board tells you you need to get cyber insurance.

Three weeks later you have the insurance broker showing out the, your doorstep, oh shit, I have this list to do. It's 50 pages. Start now and do the right things. And you know, there's things that I learned some this morning, this is an incomplete list, but the actual coverage vary. And for the purpose of my discussion, it's not so important what the insurance can cover. And I learned there's a lot of, you know, like every insurance, you get it easily when you don't need it, but if you need it, it's hard to get or expensive. But there's other things that insurance doesn't cover.

You know, if you look, we start at the bottom of the list, exhausted and stressed employees, you know that, that organizations suffer from that, right? Then you have the negative PR and you have a damage to your brand now that you can fix with some money that you get from the insurance or not. But then there is trust. Trust with your customers, trust with your employees, trust with your business partners.

And yeah, you can't walk up, dear John, I'd like to buy some trust. Here's a thousand dollars. It doesn't work like that, right? So you have to earn trust. If you lost it, it takes a long time to rebuild it. It may vary from culture to culture, but it, it's not something you can buy. So you know, you better do the right thing. And this is, you know, I couldn't come up with a a better picture. But you need to find a balanced approach.

Yes, qualify for cyber insurance. Meet the criteria, be truthful and honest and get it, but do the right thing for the organization as well. You have to reduce the risk. And reducing the risk surface is close to my heart. It's strong mfa, passwordless, MFA for everyone in the organization and for every account. But also increase the resilience. Be able to respond and prepare for that what you never want to happen. But don't close your eyes and don't do it. So if the mandate is for strong mfa, I'm preaching Passwordless mfa. So why should you do that?

So first of all, if there is no password, you slash the attack surface quite a bit. 82%. Go back to that. You also minimize human error. And that's, you know, the other topic I talked about in the beginning of my speech, the BBC found out that with, you know, historic classic mfa, people spend up to 5% of their time to get to what they, where they need to get to to do their work. That's painful. That's not good. It's cumbersome to use and you know, if you have to retype and it also puts your mind away from what you were doing. So you lose even more time.

And yes, on the wayside, if you do it, you meet the cyber insurance criteria and the stuff pays for itself because your employees are more productive, you're less susceptible to a cyber attack. And if you don't have passwords anymore that the users manage, you free up a lot of IT resources. If you don't have to manage passwords, you know, you can't lock out your CEO or your half your sales team because they don't rotate the password. You have to run after them. And you know, these resources could do much better things.

And of course the goal is here to have a consistent use for all users on all end points and all use cases. And this is just a quick video. It just takes a few seconds. You just basically don't have a password, you just enter your username, you get a push message on your phone, you accept it and you're locked in. And that's it. And we'll see the single sign on Porwal coming up in a second. And this works for pretty much every directory.

You know, any L directory for truck, Okta, any Microsoft incarnations, even legacy Oracle directories, whatever. So when people speak about password list, what do they mean? What do they talk about? Most of the time people talk about this portion. There's a great solution. Fighter two works on web applications, works on mobile applications. That's also what is known as Siam. And it's a non-negligible part in an IT organization. But there's other stuff.

You have your workstations, they can be Windows, they can be Mac, then you have some legacy VPN stuff that's not built for mfa, but you gotta protect it somehow. You have server accounts, you have remote virtual desktops, you may have a lot of stuff in your organization all the way to applications that have their own user repository and aesthetic database. And so there is, you know, besides the solution that we have, there's just very few organizations that really have as a focus for their MFA solution, the passwordless enterprise as we say it.

And there is others that require you to p put up a PKI infrastructure and stuff and it covers some of it, but there is always the risk that you have some red alert areas that are not protected. So the way our platform works is, first of all it's phishing resistance. So we have a key in the server, in the workstation and on the resource the user wants to access. So if the keys don't match because it's a man in the middle website, you can't log in, it doesn't work. And so that, that is working with Phyto keys or with an authenticator app or or various ways.

And then on these applications, the way we do it, if it's a sample single Signy on it got assemble token, yeah it's a modern technology, we apply it.

But if it's VPN or if it's a Linux account, we use our Radius capability to trigger a passwordless MFA access for those resources and for those applications that don't understand anything but a password, it could be a mainframe that loves his eight digit password, then to that application or to that mainframe, we are able to provide the password but then manage it on the behalf of the users or the user doesn't know it and it can be rotated after every session or never or anything in between, whatever you like, right?

And so that way, yeah, there is a password somewhere deep down almost like a palm solution, but it's, you know, it's not as, it is not sacrificing security. It's actually a big leap step forward. Now if you can get rid of that application, repla, replace it with a sample capable solution, we're all for it. We love that too, right? But this is the solution that should get you a lot closer to be compliant with cyber insurance. Among all the other good things that I've talked earlier and, and my predecessors have talked about. So I have a sales role.

So I don't believe that I, I I don't ask you to believe me, I wanted to say that way. But there is proof, you know, on our website you can find organizations that have successfully implemented, you see a big bank here in the middle. We also have a US manufacturing slash defense slash space conglomerate deployments of north of a hundred thousand users organizations spanning more than 40 countries, but also smaller organizations, universities, education, small FinTech companies. And then my friend here, Chen, a colleague of mine, he did a great video.

It's on our website, please have a look at it. The title is Passwordless MFA in an hour or less. Now granted, you will not move your entire organization within hour, also not within days, but also it will not take you months and years to do it. And you can start it now and don't be a grasshopper, be an aunt. That's one of the takeaways that I wanted to, to take, take select technology that are easy.

Not just because I love technology, but if you have a bad process, people will find a bypass to it who hasn't recycled passwords until someone came up with a bad program that doesn't allow you the last password anymore when you have to change it. So people will find alternate processes if it's not good usability. And then of course, you know, you have to figure out to select a solution that can cover you where you need coverage. And that requires an assessment.

Most organizations know the big spot, but if you don't do an assessment by all means, and then select a solution that gets you to the end point. You don't have to run there in one day, but if you select something that covers you half the way, then you either have another migration project or you have what I call, you know, you know, picture memory, this puzzles, you have 25 pieces to have the complete picture. But if you select the wrong solution, what you end up with is 22 pieces of a 25 puzzle. But even these 22 pieces are not from the same picture.

And so I, I just leave you with that thought and yeah, thank you. And if there are any questions, happy to Thank you Garrett. We can Have one question. Thank you Garrett. Is there any question here in the room? Alright. Yes please. Just one. Well thanks for the presentation. Can you also deal with service accounts that are logged in automatically by scripts or applications without any human interaction? There is a limit to what we can do on service accounts. We can do admin accounts, we can do server accounts everywhere where there's a human behind it on the other accounts.

Yeah, there is the question, do you lock down the ports? Do you segment your network?

Yeah, we are not complete. We cannot, you cannot rotate a password and put a second factor on it.

We can, you know, you can, you can't do that. So you, you need to find a different way of, of protecting that.

Okay, Thank you so much. Please join me with another applause from J Thank you so much. Very.