Multi-Factor Authentication (MFA) is a part of every day life now - you use it on almost every platform (or at least you should be) which is a big change in the security world. Not only do we highly recommend implementing MFA on all your devices, but now Microsoft is requiring MFA for all administrative accounts in their cloud-based Azure solution. While this is a long time coming for the security world, it might be a hassle for your business. Let's make it easy.
Passwords are no longer enough. Unfortunately, even if your password is a complex string of letters, numbers, and special characters, hackers still have the ability to reach you. Last year alone, there were 90+ password breaches and in a recent 2024 leak, over 10 million passwords were leaks to the internet which means even if you used your cousin's dog's previous owner's social security number - hackers still got it.
If these aren't enough reasons to get and require MFA in your organization, consider these reasons:
Data breaches can result in major legal fees and fines of hundreds of thousands of dollars. They also can take a serious hit on your reputation. Without cyber insurance, you are putting your customers and employees at a greater risk. Where general liability insurance covers property damage and bodily injuries, cyber insurance (get your free checklist!), which is often excluded, covers the liability for violated sensitive information. This includes health records, credit card numbers, and Social Security numbers, to name a few things. It also helps with the recovery of the compromised data, notifies customers about the breach, and covers financial losses.
With so much of our lives shifting online, the rate of cyberattacks has skyrocketed. Back in May of 2021, President Biden signed the Executive Order on Improving the Nation’s Cybersecurity to mandate multi-factor authentication for federal agencies. This order sent a signal to all cyber insurance companies that MFA is a step they need to take and require from their customers as well.
As of July 2024, Microsoft Azure teams will begin rolling out additional tenant-level security measures to require MFA across certain Azure accounts. Establishing this security baseline puts in place additional security to protect cloud investments and company.
While the roll-out of this requirement will be gradual and methodical to minimize impact on your use cases, Microsoft has required this level of security in order to quickly put in place the right security measures for themselves and their solutions. Going forward, the team will provide communications to you about your specific roll-out dates through direct emails and Azure Portal notifications. Expect these in the coming months.
Point is, if you're using Azure (which we also recommend), you'll have to implement MFA sooner rather than later.
A common question asked by business leaders is, "Does every employee really need MFA enabled? Does MFA really need to be enforced as part of our cybersecurity policy?" The short answer is YES and YES. Simply put, anyone that has access to company resources needs to have MFA enabled on their accounts. Don't cut corners. Accept no substitutions.
For example, if someone in your company has access to Human Resources, Accounting, Manufacturing, Sales, or any other corporate data they need to be protected. Attackers are trying to find a foothold in any company, regardless of size or industry. Once attackers have access to an account it doesn't matter whether it's a front-line worker or a C-suite executive. Access is key—whether it be to an email account on Microsoft 365, a Virtual Private Network (VPN) into a private cloud, or a Microsoft Azure virtual desktop.
Once an account is accessed by an attacker, they can impersonate users by using email accounts, take over additional accounts within your organization, or siphon data regardless of the user's position or access level. The higher the level of access, the easier it is to move and gain information within your organization. The most common scenario is when executives have their accounts compromised, get hit with ransomware requesting funds to be transferred, or bank routing information is changed.
Over the past decade, cybersecurity efforts have continued to evolve, in order to keep up with expanding hacking abilities. Most companies struggle to fully deploy, or even get funding for, a single MFA solution that can integrate across multiple technologies and services. Having MFA enabled for just email isn't enough to provide complete identity protection within the environment.
Here are some of the ways that you can currently incorporate MFA into your digital workspace.
Remote access systems should support compliance with industry regulations. Failing to meet those standards can cause a disruption to the business, as well as a loss of trust. Multi-factor authentication for remote access is used in situations involving organizations’ relationships with third parties. Your organization should have a protocol that ensures that only your assigned technicians have remote access. The common credentials they should be given are a unique password, a security token to authorize their identity through a card or their smart device, and the secure biometric verification of facial recognition software or fingerprint scanning. Common platforms for this are Google and Microsoft Authenticator Apps.
Microsoft has made great strides in security enhancement for its hosted services. Office 365 showcases its additional security by making you approve sign-ins to your account using a mobile device. It is recommended that you download both the Outlook app and Microsoft Authenticator for all multi-factor authentication purposes. You will be able to bulk update your Office 365 through the admin center, resulting in active users being required to do some secondary verification the next time they sign in. You can change the settings for the cached token time to how you see fit. Microsoft’s Azure Active Directory also allows administrators to specify geographic location and trusted device conditions to prevent unauthorized access.
Cloud platforms (like Microsoft Dynamics, which we also recommend) can host multiple portals that are either private or public to end-users. With the proliferation of cloud applications comes the attention of hackers who focus their efforts on the data stored there. You have the power to choose how and when to enroll your users in layered security. It can be demanded as part of their registration to your app, suggested on their account management page, or added incrementally when the user wants to access certain high-security features. The best bet would be to encourage your users to register more than one secondary factor for account recovery because, if they lose access to the first, they will be locked out of their account.
Multi-factor authentication is capable of blocking over 99.9% of attacks on your account. Of course, no security system is perfect. But the additional layers that multi-factor authentication provides your IT infrastructure certainly decreases the vulnerability of your digital security architecture.
We want to keep you secure and compliant with the requirements of all your higher ups. Stay connected, stay secure, and most importantly, stay in business.
Let us know if you want to discuss your current (or future) MFA posture and ways to improve it. We're here to help in any way we can.