This blog was written by Charity Digital.

At the ECRC we pride ourselves on our partnerships with other organisations and are keen to promote the good work being done up and down the country when it comes to spreading the messages of staying secure and cyber resilient.

Charity Digital are an organisation committed to helping charities and non-profits unlock maximum impacts using digital tools. The important work they’ve done has helped countless people learn about digital transformation, which you can find out more about here.

Strengthen Security With MFA

Logins that take multiple steps to complete are quickly becoming the norm. Multi-factor authentication (MFA), which involves two or more actions to enter a digital system, is part of the comprehensive cybersecurity system of today.

Here, we examine how MFA works and share tips on how to install the systems.

What is Multi-Factor Authentication?

MFA combines multiple security checks to enter an account. If users pass these correctly, then they may enter.

Microsoft describes how they deploy MFA: ‘When you sign into the account for the first time on a new device or app (like a web browser) you need more than just the username and password. You need a second verification method – what we call a second ‘factor’ – to prove who you are’

Put in cybersecurity terms, access is granted when secure elements are correctly combined. The classic scenario is when users put together something they know (i.e a password), with a factor they have or can generate (i.e. a temporary code), as well as an element of who they are (i.e. biometrics).

MFA’s benefits include increased security for users and their data, along with quicker security response times. The added layers of security protect individual user accounts. If the MFA fails, a security message is sent to cybersecurity managers.

What to Consider When Designing Multi-Factor Authentication:

Most individuals are familiar with MFA – from online banking, digital accounts and other protocols, the security is used to verify identity. For charities looking at MFA, consider what techniques are available. The National Cyber Security Centre outlines a few.

1. FIDO2

   Fast Identity Online 2 (FIDO2) describes an open-source protocol which authenticates identity via common devices, like mobile phones. In essence, the technology sends codes to trusted device. Users then enter this code as part of the sign-on process.

2. Authenticator Apps

   Additional access keys are sent to the device or computer and need to be obtained through a secure app. The apps generate ‘challenges’ and users need to respond appropriately to gain the code.

3. Code Generators

   Code generators can be hardware or software based. These typically generate a one-time-passcode. Common examples are token-based hardware. Some banking platforms use this type of device to produce a code for entry.

4. Message-Based Notices

   Another form of MFA tech, message-based notices are those that are delivered to another app, email, or text message.

When considering what tech to use in your MFA system, evaluate options systematically. It’s helpful to think about what risks you’re trying to address versus the appropriate way to mitigate. Bear in mind what tech is already in use against further investment.

Top Tips for Implementation

MFA, despite its benefits, does create additional administrative work for charity staff. Depending on the technology, there could be additional widgets or information needed at hand. The start off with, here are the top tips to get staff on board.

1. Think Clearly About What MFA Means

   Multi-factor authentication at its core pulls out from users something only they know; something they have and something they are. When implementing the tech, ensure you are clear on what those elements entail.

   Top Tip: MFA doesn’t have to be all three elements. Make a risk-based decision.

   
   

2. Link to Digital Strategy:

   Rolling out digital strategy includes communication and education. Make sure that staff are aware of what you are trying to achieve by sharing the aims of MFA and what risks are being prevented.

   Top Tip: Offer staff IT support specifically for MFA troubleshooting. You’ll want to ensure that they are able to access their processes in a timely manner.

   
   

3. Plan for Different User Groups

   Okta suggests brainstorming a list of user needs and access rights. Consider how frequently users need to log on, what data they are accessing, and how many layers of MFA are required.

   Top Tip: Make sure there’s a back-up factor or user-accessible alternative.

1. Start With Admin Accounts:

   To learn from potential errors, start with a small pilot group. Microsoft leans into this approach and its advantages. They say: ‘Administrative accounts are your highest value targets and the most urgent to secure, but you can also treat them as a proof of concept for wider adoption'.

   Top Tip: Learn before rolling out to a wider audience.

   
   

2. Reassess Against Risk, Compliance and Policy

   Last, keep record of how MFA access is coming along. Document any new risks, and how the technology might help in avoiding breaches. Review the charity’s cybersecurity insurance and any other policies which might require your systems to have MFA in place.

   Top Tip: MFA might not be the best or only solution for everyone. Tailor security to suit your needs.

To find out more about Charity Digital and the work they are doing, you can visit their website here.

How the ECRC can help?

Joining the ECRC as a free member ensures that your organisation is supported in making the small changes that make the biggest difference. Becoming a free member means you will receive regular communications via email, which will drip feed you ways in which you can improve your cyber resilience without costing any money.

The ECRC website also contains several links to helpful National Cyber Security Centre (NCSC) resources, which are all free, up-to-date, and easy to use. Tools such as Exercise in a Box and the NCSC Cyber Action Plan are particularly useful in terms of identifying areas where you could improve your cybersecurity. They also have many informative guides that are sector specific, which will give you useful and detailed information.

If you would like more information about how the ECRC can help your organisation specifically, please book a chat with us today.

Reporting a live cyber-attack 24/7:

If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress) please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day 7 days a week.

Reporting a cyber-attack which is not ongoing:

Please report online to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.

Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050)