Multi-factor authentication is a necessity, and now it’s easy to deploy. 

In ice hockey, where players collide with each other at 20 mph (30 km/h) and take shots at speeds of up to about 100 mph (161km/h), it is hard to imagine that players competed without wearing helmets until the late 1970s. Since then, this single piece of safety gear has significantly reduced injuries and prolonged careers of professional players.

This example shows that sometimes the solution to a painful problem can be quite simple. The same is true for authentication, which is among the favorite cyberattack vectors for adversaries. Relevant data confirms again and again that having a single password, no matter how strong, is not enough anymore. An additional layer of protection – multi-factor authentication (MFA) – significantly decreases the likelihood of successful attacks on user credentials.

Well-developed processes to secure employees’ authentication, in combination with password hygiene, are essential parts of any prevention-first approach that aims to stop attacks before they can do any harm to a business. In pursuit of this strategy, ESET incorporated its cloud-based MFA solution ESET Secure Authentication into ESET PROTECT Hub, a new unified point of entry to the ESET PROTECT Platform serving businesses that include MSPs with user, license, and hierarchy management tools.

Just like ice hockey players tend to aim for the top corners of the net because of a high success rate, cybercriminals know that credentials are among the most vulnerable layers of businesses’ defense because of the human element involved.

For example, despite increasing global cybersecurity awareness among adults online, the password  “123456” remains the most-used credential.

And it’s not only a problem for the general public. Poor password hygiene is also observed among IT admins. Digging through more than 1.8 million pages identified as admin portals in 2023 revealed that 40,000 of them used “admin” as their password.

Knowing this, it is no surprise that the latest Verizon 2024 Data Breach Investigations Report found that 77% of basic web application attacks involved stolen credentials, 21% of them were the result of brute force (usually easily guessable passwords), and 13% of those attacks exploited vulnerabilities.

While businesses struggle with password laziness observed among their employees, adversaries improve their techniques to fool even those who are more tech savvy and vigilant. We can already see nefarious technical developments like AI-driven phishing or powerful high-end machines able to guess random six-characters-long passwords in a single day, despite the improved hashing methods used. Not to mention that users of older hashing methods can get breached instantly.

Luckily, most attackers targeting credentials behave like desperate players shooting pucks from their side across the whole rink toward their opponent’s net and hoping for the best. ”Spraying and praying” tactics are still prevalent among various cyberattacks; this is clearly demonstrated by Microsoft data published in 2023. Simple, cheap, and easily mass-produced password attacks still dominate the game. As a result, Microsoft deflects more than 1,000 password attacks per second(!) in its systems. Interestingly, they have noticed that more than 99.9% of accounts compromised didn’t have multi-factor authentication enabled.

Google found similar results in its older 2019 survey showing that adding just an another simple step of verification can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks.

Last but not least: multiple or additional factors of authentication are now a standard compliance requirement, just like the helmet has become compulsory in ice hockey.

Automated attacks targeting credentials:

Phishing – Fraudulent messages, emails, or calls luring targeted users into giving their account details and passwords. Using the latest technology, including AI, it is increasingly easy to mass-produce these attacks and at the same time make them more believable.

Password spraying – Trying the most-used passwords, such as the word “password” or “1234,” against a huge number of accounts.

Dictionary attack – Trying a list of passwords derived from a dictionary of words against a valid account.

Brute force – An automated attack against a single account using all possible combinations for a password.

Breach replay or credential stuffing – pervasive reuse of exposed credentials from previous data breaches against many accounts.

Available in higher tiers of the ESET PROTECT solution for businesses, ESET Secure Authentication provides an additional layer of security against common credential attacks.

It protects both regular employees and IT admins logging into business ecosystems, mitigates the risk of stolen and compromised credentials, keeps attackers from accessing corporate data, and helps businesses with cybersecurity compliance.

And the best part: reducing complexity, smooth installation and operation. The deployment takes around 10 minutes in the cloud; ESET Secure Authentication doesn’t need dedicated hardware – it’s cloud-based, easily scalable, and, what is more, ESET oversees maintenance and upgrades.

Exploiting valid accounts is still the path of least resistance for cybercriminals, according to IBM X-Force Threat Intelligence Index 2024, and despite effective protection being available, many companies still don’t use it.

Witnessing rapid-fire strikes from cybercriminals against business accounts every second, it’s time to “put a helmet on”. With ESET PROTECT, businesses can not only enjoy multilayered and AI-powered protection against all kinds of sophisticated attacks, but also take a proactive, prevention-first approach and easily deploy MFA to defend their precious accounts against massive automated attacks.

Sometimes there is just so much work to do that we lose focus and begin to miss some crucial details, leading to a degradation in efficiency, performance, and output – resulting in a complete burnout. This is especially true for IT jobs, where burnout rates are high due to an insurmountable amount of tasks. 

In cybersecurity, alert fatigue is one major sign of burnout, which can enormously influence the state of a business’s cybersecurity. Knowing about the symptoms and ways to ameliorate any possibility of it happening is paramount for the continuing well-being of your business and employees.

Alert fatigue is a sign of many things, but mostly, it is a sign of an incoming burnout. Be it because of complex interfaces, faulty security software rife with false positives, or low bandwidth to handle incoming alerts, especially in cybersecurity, it is easy to become overwhelmed.

Solutions like Extended Detection and Response (XDR) can be helpful but can also be very demanding, as they require trained eyes to operate. Likewise, Security Information Event Management (SIEM) is very useful, but it can be hard to discern what is or isn’t important, and the incoming traffic of logs can overwhelm even the most skilled professional.

What this results in is a constant demand for one’s attention, increased levels of stress, and a possible distaste for more in-depth investigation of incidents due to the number of reports, which, coupled with other calls for attention at work, can heavily increase one’s workload. Imagine it as a constant need to be alert and attentive. Repeat this several times and, voilá, burnout is achieved.

Curiously, a question can be raised whether it is truly the workload that drives alert fatigue, or if it is the result of cybersecurity tools not being up to the task of lightening the human touch.

A case can be made for the need to lower the burden on business IT generalists (staff), since they often also fill in other roles as (aside from having to protect the company from external threats) they also manage the networks and devices used by the employees, among other tasks.

It is not usually a single person managing all the previously mentioned tasks, but that doesn’t mean that individuals in a team cannot suffer burnout; the demands can be high, their bandwidth low, and working on repetitive chores is one way to waste time and achieve insanity. On the flip side, excessive boredom at work can also lead to the same result.

For IT specialists, a bane of their existence is bad, buggy, or overly complex software that makes work many times harder. This is why the current trend is to simplify user interfaces and graphics, or add a bit of automation to highlight only the most relevant points.

This is easy to see when looking at the evolution of operating systems or widely used apps – during the 2010s, most companies decided to simplify and make interactions with their prospective parts easier than before (a good example is the iOS 7 update or Windows 11 compared to previous releases). ESET did the same with the ESET PROTECT Platform, introducing a simple and easy-to-use dashboard for ESET PROTECT to make the work of IT security operators more manageable.

What’s more, this design philosophy has driven the company to design features such as the ESET AI Advisor or ESET Vulnerability and Patch Management, addressing the elephant in the room – complex security doesn’t need to be a burden as, believe it or not, being frustrated with security is a great way to weaken it.

There is always some way to make work easier, and there always are solutions that exist as an answer to some deficiencies or weak points of others. For example, overburdened or small business IT teams can opt to outsource their security to managed security service providers (MSSPs), lowering the chance of fatigue as a result of cybersecurity-related work.

Cannot cope with the number of detections coming from your extensive business infrastructure? Look for a Managed Detection and Response (MDR) solution that can help any business leverage the added skills and knowledge of an experienced cybersecurity vendor, upscaling their quality and state of protection.

Not every business can afford to increase the size of their IT teams, especially during times when there is a lack of professionals, and those that are available can be very expensive to hire. And if the current specialists are already struggling, why lose them because of burnout?

Apart from outsourcing, there are also some techniques individuals can use to ward off alert fatigue or burnout in general:

• Take breaks: Overworking yourself is a surefire way to experience burnout sooner rather than later, so try to space yourself and take breaks. 15 minutes every two hours is the recommended amount for office workers, with 8 hours of sleep, of course.
• Automate some tasks: Oftentimes, people do not know about specific tools that can make their lives easier by employing automation. For example, ESET PROTECT lets admins automate certain tasks, such as OS and product updates, scanning, computer shutdowns, freeing up the bandwidth of security admins. Likewise, the AI-native power of ESET PROTECT’s modules, including ESET AI Advisor in ESET Inspect, can ensure fewer capacity-induced stressors, increasing productivity and efficiency.
• Look for comprehensive simplicity: Having an easy-to-use interface presenting lots of important data on a single pane of glass is a great way to make IT work more effective, so look for products that, instead of overwhelming you, offer comprehensive protection with simple usage patterns.
• Learn to delegate: A common complaint of senior IT professionals is that delegating work is hard, as they cannot be sure of the quality of their peers’ work, so they opt to do it instead of focusing on more high-level tasks. However, everyone has a limited bandwidth, and not delegating tasks to others can overwhelm even the best senior employee.
• Outsource: Cannot cope with all those IT tasks? Consider outsourcing at least your IT security to an MSSP, offloading the IT teams’ burden at least partially, making it harder to burn out. Alternatively, supercharge your current security with an MDR service that can also aid your compliance-related requirements.

As a side note, burnout does not strictly need to be caused by work; there can be many additional factors, such as anxiety from human interaction, depression, or anything coming from the external environment that can have an impact on the human psyche. In those cases, also consider coaching as it might help cope with some problems that not even a job change might solve.