View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Comment
January 12, 2024updated 01 Feb 2024 11:10am

Businesses are aware of their cybersecurity weaknesses. Will 2024 be the year they do something about them?

CIOs and CISOs need to know that defending against serious cyber threats requires more than just a wholehearted embrace of MFA.

By Al Lakhani

Robust cybersecurity is essential for any business. A breach can have fatal consequences for an organisation’s finances, operational capabilities and reputation, and the challenge becomes tougher each year as cyber threats become ever more sophisticated.

Today’s attacks are smart, adaptive, and tailored to exploit even the most minute vulnerabilities that exist in a business’s IT systems and cybersecurity solutions. Undoubtedly, 2024 will see threats evolve further still, and the pace at which the threats advance will only increase.

The question, then, is whether businesses are deploying solutions capable of protecting them against the latest (and next) generation of cyber threats.

To get the answer, IDEE recently commissioned a survey of 501 cybersecurity professionals in UK businesses. Worryingly, the findings reveal an ugly truth – that, while most organisations are aware of the shortcomings of their cybersecurity solutions, too little is being done to address them.

An AI-generated image of pinpad with scrambled numbers, used to illustrate an op-ed about multi-factor authentication.
An AI-generated pin sentry device, complete with a scrambled number pad. A recent survey of UK businesses by IDEE has found that almost all respondents relied on multi-factor authentication as a cybersecurity measure – even though half of them ultimately concluded that it was only “somewhat effective” against cyber-attacks. (Photo via Shutterstock)

MFA adopted widely, but confidence in it remains low

According to IDEE’s survey, almost all (95%) respondents said that their business uses multi-factor authentication (MFA) in some capacity, requiring users to provide more than one form of identification when accessing their work account or company’s IT systems.

In the last few years, MFA systems have become the cybersecurity solutions of choice. Most business software providers – think Microsoft 365 or Google Workspace – come with in-built MFA.

Yet, despite MFA being almost ubiquitous within UK companies, the research shows that not only is it often ineffective, but cybersecurity professionals know it is. IDEE’s survey found that just two in five (40%) businesses deployed MFA because they deem it to be the most secure solution for their systems and data. Moreover, one in two (50%) IT leaders damned their MFA solution with faint praise by describing it as only ‘somewhat effective’ against cyberattacks.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Cybersecurity decision-makers know that their business does not have a solution in place that can guard against the most sophisticated forms of attack. This trend is substantiated by the responses of tech leaders when asked to specify the types of attacks their MFA systems mitigate. Only 35% said that their solution offered protection against the use of weak passwords. Meanwhile, even fewer (34%) claimed their MFA could defend against credential phishing attacks.

This, in all honesty, defies logic. After all, of those businesses that admitted to having suffered an attack in the past 12 months (some 53%, by the way), over a third (35%) said the cause of the breach was stolen credentials.

What are the dangers of a relaxed approach to cybersecurity?

Businesses are experiencing breaches, and cyber experts describe their solutions as only ‘somewhat ineffective’, knowing as they do that their MFA cannot guarantee safety from some of the most common forms of cyberattack. Why, therefore, is more not being done to rectify this situation?

To my mind, these figures could suggest that IT leaders perceive cyberattacks as an inevitability, adopting a negative mindset and deploying an accepted best-in-class solution (MFA) without truly considering its efficacy against the methods today’s attackers are using. Needless to say, this approach is extremely dangerous.

One of the most obvious dangers is the financial cost of a cyber breach. For context, according to IBM’s latest Cost of Data Breach Report, the loss caused by a cyberattack in the UK hit an average of £3.4 m in 2023 – a figure that has risen by 9% since 2020. This loss occurs from a variety of factors, such as compensation for affected customers, an investigation into the breach, and penalties that can be incurred for failing to meet GDPR.

Further losses can be suffered because of operational downtime caused by a breach, as employees are often unable to access the systems or data they need to fulfil their roles, resulting in a loss in productivity and potential revenue. In December 2022, for example, a ransomware attack at the Guardian meant that staff were forced to work remotely to contain the breach.

Elsewhere, reputational damage, while harder to quantify, is undoubtedly another important consideration. According to figures from 2020, for instance, 34% of UK businesses suffered a damaged reputation following a data breach, while 33% lost customers.

Adapting your organisation’s approach to cybersecurity for the year ahead

With the start of a new year comes the chance to take a new approach to managing a business’s cybersecurity, and it is vital that IT and cybersecurity decision-makers take the opportunity to enhance their organisation’s defences if they are to stay ahead of increasingly sophisticated attackers in 2024.

One of the biggest things that is holding businesses back from being proactive is that they place too much emphasis on detecting cyberattacks, and do not spend enough time researching and implementing systems that work instead to prevent them. In turn, the negative mindset that attacks are inevitable gets recycled, and organisations remain stuck in a cycle of attack and defence.

To break free from this cycle, businesses have to implement a multi-layered approach that makes it extremely difficult for cybercriminals to bypass and impersonate users. This is particularly important at present. With many businesses still allowing their staff to take advantage of hybrid or remote working, organisations are utilising decentralised IT systems, making user impersonation a key threat to their accounts and data.

Mitigating this threat relies on concepts like transitive trust and identity proofing, which ensure that a transaction is carried out on a trusted service, tied to a trusted device, and coupled to a specific user under the user’s total control. Only then can organisations enhance their cybersecurity and protect themselves against the increasingly sophisticated forms of attack that will continue to impact the world of business in the months and years to come.

Looking ahead to 2024 and beyond, in the ever-evolving cybersecurity landscape, businesses must recommit to taking a preventative approach to cybersecurity to ensure the resilience and security of their organisation’s systems and data. Do not remain fixated on detection – prevention is everything, and businesses have to put solutions in place that are not merely ‘somewhat effective’ but absolutely effective in forestalling today’s cyber threats. 

Read more: Successful deployment of new AI solutions will depend on business leaders uniting with their tech pioneers

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU