As Multi-Factor Authentication (MFA) becomes more prevalent in both business and personal digital uses, we were curious about how MFA works and best practices for using it. Below we will define MFA and explore its impact to the funeral profession.
First off, let’s define MFA. MFA is a security measure that requires two or more proofs of identity to grant you access on a website or application. For example, you may need to enter a password and a code sent to your phone to log in. Or you may use a fingerprint or facial recognition to access your phone or computer. You may also even use an authenticator tool as a secondary form of security.
We caught up with Derek Wearmouth, security analyst at Homesteaders, to ask some questions about MFA and learn the newest tips to keeping your funeral home’s information safe and secure against potential attacks.
Homesteaders: Why is it important to protect data digitally at a funeral home?
Derek: Oftentimes, data found within the systems of funeral homes is what we consider PII or Personally Identifiable Information. This is information that an attacker could use to steal your identity or get further into a system. Obviously as a business, having this sort of information compromised is not something that an organization wants from a customer viewpoint. Not to mention, many states have begun to enforce certain regulation on breaches for companies, that if not adhered to, could lead to fines.
Homesteaders: What's the importance of Multi-Factor Authentication?
Derek: Multi-Factor Authentication is a part of what many like to call; "what you have, what you know and what you are." This means when a system is verifying that you are really who you are, they can verify it with these multiple different factors. What you have: is a token, or an MFA tool. An example is when you receive a popup when logging in somewhere on your phone. What you know: is your password; that is something only YOU should know. Finally, what you are: this is what a lot of people call biometric data or fingerprints, face ID, etc.
Multi-factor is important because it helps us identify that it’s really you. It is possible to "spoof" or fake MFA, but using an MFA increases the difficulty many times over. Attackers can "hack" your password, however if you receive a popup on your phone, it's hard for attackers to replicate that because it’s verifying that you truly made the request. If you did not, you simply decline. Optionally, biometric data such as face ID can be used. This increases the difficulty even more exponentially as it is almost impossible to fake someone's face.
Homesteaders: What are best MFA practices?
Derek: When you are setting up an account anywhere, check to see if MFA is an option. If it is, then enable it. If not, meet with an IT person to find a way to enable it. Many tools exist to put MFA in front of applications that do not have it natively.
Many phones allow for fingerprint or face ID. If prompted to use it when setting up MFA, always use it. Not only does it make your connection more secure, but it often makes it more convenient to use.
Many MFA tools will allow a user to use what is called "numbers matching." This means that when you login, you are given a number. When your MFA tool prompts you, it will give you three numbers, and you need to pick whatever is on the screen that matches your number. This means that the system can identify that nobody else is using the phone and/or login and that the system knows that you are human.
When in doubt, use a password vault in conjunction with MFA. A password vault does not require you to remember your password and you do not have to type it when prompted. This means that if your system is infected, even tools such as keystroke loggers cannot grab your password. Keystroke loggers are often used to get the input from keys on a keyboard and snag passwords.
Homesteaders: Can you share some tips that funeral homes can adopt to make sure their digital information is secure?
Derek: If possible, do not use gmail emails. While they are free to use, they are very insecure and often are part of spam lists everywhere. Where possible, buy a domain with email services. Often it costs less than $10-15 a year, you get a custom domain name and you get built-in security. Often, I recommend something like GoDaddy to purchase domains and security services; it’s a lot cheaper than you think!
When setting up accounts on various systems, ensure that MFA is a possibility! This will take you a long way as it will make it more difficult for someone to get into your account. For example, if you accidentally give out your password, they will only have one piece of the puzzle and will not be able to proceed with the login.
If you see an email that does not look legitimate, 9 times out of 10, it is not legitimate. If you are in doubt, call the person to confirm the email. While this is more work, it is a verification that the person actually sent that email. Oftentimes funeral homes, especially smaller ones, can become compromised and not even know it until partners receive emails from the attacker and let them know.
Always check links within emails by hovering over them to see the real link. If you are unsure if a link will be valid, consider the sender, the language being used within the email and what the url looks like under the link. Many times, phishing emails will have “call to action” phrases such as “urgent,” “click here,” “please respond” or “find out more” within the email to entice users.
End users are almost always the target of an attacker because they are usually less technologically inclined, they are a customer-facing portion of the business so they are easier to reach and, especially with smaller businesses, often have more power within a system.
Homesteaders: Any final thoughts on MFA?
Derek: MFA, in combination with good diligence and training, will win 99% of the time!
Thanks to Derek, with these tips, you can boost your funeral home’s cybersecurity practices and stay ahead of potential security attacks, keeping your and your customers’ information safe and sound. Continue learning about cybersecurity best practices by checking out three online security tips and tips on how to increase your cybersecurity.