Two-factor or multi-factor authentication (MFA) was a concept that needed to be explained carefully to the public a few years ago. It’s an approach to cybersecurity that requires users to sign in to an account with something they physically posses, such as a phone. Most companies don’t use it, even when it’s readily available, according to previously reported data from Microsoft, because they prioritize easy access to information over security. SEE: Cybersecurity: Let’s get tactical (ZDNet special report) But with the Russian invasion of Ukraine happening now, the US government has now told all organizations that MFA is a must. “Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system,” the White House has warned. The message comes as the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) ramp up warnings about Russian hacking of everything from online accounts to satellite broadband networks. CISA’s current campaign is called Shields Up, which urges all organizations to patch immediately and secure network boundaries. President Biden said the warnings around improving tech security were “based on evolving intelligence that the Russian government is exploring options for potential cyberattacks.” CISA has led most of the US’s efforts and has the authority to require critical infrastructure owners and operators to report ransomware and other incidents within 24 hours. The White House, however, has now urged all organizations, even those that are not considered critical infrastructure, to beef up their defenses. “We accelerated our work in November of last year as Russian President Vladimir Putin escalated his aggression ahead of his further invasion of Ukraine,” the White House said in a statement. “The US government will continue our efforts to provide resources and tools to the private sector, including via CISA’s Shields-Up campaign.” SEE: How Russia’s invasion of Ukraine threatens the IT industry It’s rare for the leader of any country to urge everyone to step up cybersecurity defenses. Biden has used executive orders to compel federal agencies to patch software, but the new message urges the private sector to do the same. Beyond the use of multi-factor authentication, the White House also urged companies to take seven other steps:
Deploy modern security tools on your computers and devices to continuously look for and mitigate threatsMake sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actorsBack up your data and ensure you have offline backups beyond the reach of malicious actorsRun exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attackEncrypt your data so it cannot be used if it is stolenEducate your employees to common tactics that attackers will use over email or through websitesWork with FBI and CISA to establish relationships in advance of any cyber incidents