The 3 main reasons to activate Multi-Factor Authentication!
1. MFA is Free and included in every Microsoft 365 license
Every Microsoft 365 or Office 365 includes the ability to activate MFA.
2. Protecting your cloud identity is most important!
Enable multipleauthentication (or 2FA) to ensure your accounts are up to 99.9% less at risk.
73% of all passwords have already been used for other applications.
81% of all breaches include leaked passwords
3. Usable for multiple applications
You can give users access to multiple applications also not Microsoft to their applications in a secure way.
Single-identity / Single identity / one account for all applications!
Do you want to activate MFA?
Do you want to activate MFA? -> Then follow these simple instructions!
Multi-factor is one of the pillars to ensure a more secure identity. However, we often see people thinking that identity fraud can no longer happen after enabling MFA. Multi-factor Authentication is a technical solution. The person using this technology must also handle these security systems safely.
What are the risks to your organization?
What risk do you face if you get a ransomware attack?
What risk do you run if someone has access to all the organization's critical data?
What if all the data were encrypted tomorrow. Could we then go back to work in the afternoon?
Do we have backups, off-site? How quickly are we back operational after an outage?
What is the cost of a Cyber-attack?
Policies and decisions
Information management and information security is an organizational responsibility. Not of IT.
Decisions. If security is not a strategic objective, any implementation fails.
Policy/Rules. Are there organization-wide rules?
Who are the stakeholders?
CyberSecurity and change
Cybersecurity, what is it? We think it's complex. We ask pen-testers to test applications that are not that relevant of a possible breach. (This is only a small piece of the risk) While along behind we dare not update systems and applications because we hit the business.
Deciding to be more secure is step one. Then start a process to get the organization ready to embrace this change.
Protect key systems
define which systems are really important. and calculate the effort to make these systems more secure.
Don't put your effort into systems that you can easily restore from backup. Of course, each system has the potential to impact the other. Often you have to go back to the fundamentals here. WHERE and HOW was this built. If this system is integrated, and not a separate platform then unfortunately you will have to cover this as well.
Segment, isolate. Don't bet everything on one platform. And if you do -> segment.
Within the cloud such as Microsoft 365 there are so many built-in capabilities to deal more securely with security. Unfortunately, we don't use too many standard features.
We always stick to on-premises, we think we are safer there. Best we choose to integrate deeper into cloud solutions that have more capabilities today to be more secure.
If you use Windows computers, as well as Mac or Linux machines. So update these as well and measure the state of affairs daily . Even if you let it run full-automatically, check the facts! It's often not what people think.
Modern management, stop manual actions on systems. Automate and monitor.
It makes sense that if you choose Microsoft , you also follow their update cycles and program's. Why else did you choose Microsoft?
Training and awareness
It remains cliché. In times of MFA deployments, we still stick our passwords on our computers. Do we pass our accounts to colleagues and click on approve button at every pop-up on our smartphone. (in the authenticator app)
Training and awareness. one user can outsource an entire organization.
Who ever used their facebook password once on their work-related system?
Don't forget: Change & awareness will be perceived differently for everyone. You will always have fans of the change but also....
Build change processes based on the target audience. Not based on the technological driver...
Communicate cybersecurity program's. Involve users in stragic pillars. Update users on the status of improvement projects.
What can the IT team help with?
As an IT Administrator/PRO, you are able to build a current report of the environment with basic tools such as: Cloud App Security, ATP, your current Firewall, MAP Toolkit and so on. the NIST Framework can help you with the framing. You can find +10,000 demo reports from a security-audit online . Report reality!
Testing whether you have secure identities?
Use Azure Log Analytics to understand how many users are logging into Office 365 services without using Multi-Factor Authentication.
Millions of users risk increased vulnerability to attacks
The U.S. government's advisory gives 6 concrete work points in their security improvement plan. In reality, one of those measures was more important than all the others. The same measure that prompted Microsoft to warn enterprise customers of a "really, really, really, high" hacking risk in February. "If you have an organization of 10,000 users," the company said at RSA, "50 of them will be compromised this month."
Source: https://www.forbes.com/sites/zakdoffman/2020/04/30/us-issues-new-microsoft-security -alert-for-millions-of-office-365-users/#6c27bd704169
Some facts listed
Without MFA enabled, simple attacks are the cause of more than 80% of that huge number of account hacks - mostly brute-force attacks that allow passwords to be guessed because they are reused.
MFA is not the only recommendation CISA makes - CISA also recommends defining multiple administrator roles so that not every administrator account can take a gateway to the environment. It is wise to apply the principle of Least Privilege, "assigning administrators with only the minimum privileges they need to perform their duties."
CISA also advises disabling legacy protocols - POP3, IMAP and SMTP - which have much more limited security measures and do not support MFA. Microsoft reiterated this warning back in February. "If we look at the likelihood of attacks," these legacy protocols are "crazy" to leave on. According to CISA.
We don't do anything with it!
"We don't have vulnerable data. And having dialogue internally is too difficult, or misunderstood."
Answer: Atlas College in Genk. 1700 computers hacked. Management says in the news that there was no sensitive data to grab. Is that so? Minimum 1700 students data.
"Multi-factor authentication is too difficult. Our users don't get it.
Answer: ITSME, Facebook, Google, Hotmail. it works there. Do we want to be able to do it?
"It's an IT problem, they should fix it."
Answer: This is false, security is an organizational responsibility. Do the analysis. Activate an E5 and show the numbers. In almost every organization I have shown it to, they know they have a breach. Submit the numbers to your management. That's your responsibility, right?
The solutions are impactful but easy to set up
- Registration Multi-Factor Authentication
- Enforcing Multi-Factor Authentication
- Secure all users
- Block outdated authentication! (Imap, pop3,...)
- Conditional access
Identifying risk is harder than solving the problem
Just pick what you would consider most important. 99% of the risks around identity are solved by enabling MFA.
- To understand it properly, you can get started through these 5 steps
- Or identify your identity risks.