CISA Step 1-Deploying Multi-factor Authentication (MFA)

October 13th, 2023
CISA Step 1-Deploying Multi-factor Authentication (MFA)

As we mentioned in our last bulletin, in January 2023 CISA published a report “Partnering to SafeGuard K-12 Organizations from Cybersecurity Threats”. In that report, CISA suggested that schools start their Cybersecurity journey by implementing six of the Highest-priority security measures.

  • deploying multifactor authentication (MFA)
  • mitigating known exploited vulnerabilities (patching)
  • implementing and testing backups
  • minimizing exposure to common attack
  • regularly exercising an incident response plan
  • implementing a strong cybersecurity training program

Today’s bulletin will talk about step 1 – Multifactor Authentication (MFA). MFA is a layered approach to securing online accounts and the data they contain. When you require a combination of two or more authenticators you are significantly less likely to be hacked. Why? Even if one factor (such as a user password) becomes compromised, unauthorized users will be unable to bypass the second authentication requirement, ultimately stopping them from gaining access to your accounts.

When we talk about two or more authenticators, what are we talking about? Authenticators can be: Something you know (like a password or PIN), Something you have (like an authentication app or a confirmation text on your phone), or Something you are (a fingerprint of face scan). You have probably experienced MFA on at least one of the systems you access either professionally or personally.

A joint study by Google, New York University, and the University of California San Diego found that using MFA can block up to 100% of automated bots, 99% of bulk phishing attacks, and roughly 66% of targeted attacks. Microsoft and the FBI have said that approximately 99% of the attacks are thwarted by implementing MFA.

Not only is this one of CISA’s top six recommendations, but your district auditors and the NYS Comptroller’s Office technology auditors are most likely talking to you about your MFA strategies and beginning to cite you in their reports for not having a comprehensive plan. (If they aren’t yet, they probably will be very soon)

Cyber insurance carriers for many school districts have also been requesting an MFA plan before renewing districts’ cyber insurance. Without one it could be possible that you will be unable to renew your existing insurance at your current level of coverage.

As you can see, not only will MFA help keep you safer, but it will keep you ahead of requirements handed down from outside sources. There are many different methods for implementing MFA in your district. Talk to your Tech Director about what you might already be doing, and what he/she recommends. We are happy to discuss options with you as well. If you would like to do some additional reading on your own, here is the link to CISA’s webpage on MFA: https://www.cisa.gov/MFA

This week’s suggestion:

  • Talk to your Tech Director about how you are currently using MFA and if there is a need to expand usage

Next week’s bulletin will discuss “CISA Step 2 - Mitigating Known Exploited Vulnerabilities (patching)

If you would like more information on implementing MFA in your district or navigating the NIST CSF journey, please contact Lisa MacDougall at lmacdougall@csiny.com or call 845.897.9480.