International Beverages Co-op Secures Digital Estate with Phish-Proof MFA From IDEE
Our customer is a large-scale purchasing consortium of the confectionery and beverage trade. The co-op currently facilitates c.850 mid-sized beverage wholesalers & chain store operators, convenience wholesalers and vending machine operators from across Germany. It has enjoyed consistent growth since its inception and is well respected, having promoted the economic development of the beverage and confectionery trade for upwards of 70 years. With such significant standing, the co-operative is one of Germany’s leading organizations for the specialist trade industry. They assume a payment guarantee and central settlement for direct purchases from the affiliated specialist dealers, with a turnover upwards of €881m.
A single day of lost trading could result in financial losses running into several million, not to mention a significant impact to members, their ability to do business and overall confidence in the co-op, in Germany as well as abroad.
With a vast network of hundreds of employees and thousands of external members and trading partners, the quality assurance and security of digital interfaces is of paramount importance. This focus on digital excellence led our customer to make IT investments very early on and today the IT infrastructure is layered with all the complexities one would expect from a mature organisation.
Risk Assessment Reveals Quantifiable Threats
With the goal set firmly on digital excellence, our customer must constantly assess the landscape, it’s threats and its weaknesses. It is through this dedicated process of due diligence that it was able to quantify the risks associated with the loss of trading should a breach occur. And so began the search for cyber insurance.
The risk of a take-down due to a cyber-attack would have had the heaviest impact to trade. The threat of cyber-attack was deemed both high impact and high probability. Working with the support of expert cyber-insurance broker Nordwest Assekuranzmakler GmbH (NWA), our customer devised a strategy to mitigate risk as well as insuring against it - with the best possible conditions. Phishing was the first target. Industry figures show that phishing is the leading cause of cyber insurance claims.
Multi-factor Authentication (MFA) would achieve the risk-reduction our customer was striving for, however several challenges remained:
- There is consistent evidence that push, OTP and QR-code based MFA architectures cannot prevent credential phishing attacks.
- Traditionally, MFA has required a second device, and the co-op did not want to acquire or manage smartphones for all users.
- Buying and managing several hundreds of tokens/keys was not economically or logistically viable.
- With traditional MFA, the layered infrastructure could have left several areas still open to attack due to core legacy architectures.
Our customer needed an MFA solution that would match its specific criteria, and provide robust protection, enabling it to acquire the insurance cover it needed, but with terms that were financially viable.
AuthN by IDEE is Specified to Meet the Challenge
On the recommendation of ERGO, NWA turned to IDEE GmbH – product leader for passwordless, authentication. Although a relatively new player in the field of MFA, IDEE had already earned an impressive reputation, with case studies in the highly regulated German banking sector for Deka Bank, a successful profile amongst industry analysts and had the backing of the world’s largest IT distributor TD Synnex.
Expanding upon a FIDO2 compliant architecture with a privacy preserving implementation, AuthN by IDEE is a strong zero-trust application of MFA that is not only phish-resistant, but demonstrably phish-proof.
Built and powered exclusively by AWS in Europe, AuthN by IDEE was the smart choice. Because AuthN by IDEE collects and stores zero personally identifiable information (PII) from any user, organization, or device, it meets with all the expectations of employee councils as well as audit and compliance teams.
AuthN was implemented directly with Active Directory on-premises. It does not need a sync or copy with AD (Active Directory). Sophos ZTNA (Zero Trust Network Access) was further enhanced with phish-proof MFA from IDEE making VPN access both better to use and more secure. Additional administrator focussed services were also locked-down with phish-proof MFA such as terminal services, remote desktops/servers, and shared service mailboxes.
“To prevent phishing, protection must be deployed for 100% of all identities. Attackers will find an account that is not protected - and they will exploit it. There is no room for compromise.”
Al Lakhani founder of IDEE
AuthN by IDEE was swiftly implemented. AuthN by IDEE allows for any device to become an authenticator, so the deployment leveraged the devices already in the hands of users such as PCs, laptops, Macs, and handhelds. The first implementation took only a few minutes with the protection of Microsoft 365 coming into effect almost instantly for all users.
With AuthN implemented, credential phishing and unauthorised hi-jacking of user profiles and accounts (i.e. account takeover) is impossible, solving one of the most urgent industry challenges. Regulatory compliance and the ongoing adoption of the cloud services is greatly facilitated too, even in regulated sectors.