It’s integral that businesses proactively take steps to enhance identity-related security measures like MFA because since the COVID-19 pandemic, “identity has become the new security perimeter” according to many experts, including Microsoft.
The spike in remote working means the dissolution of many traditional network perimeters, opening a can of cybersecurity worms. The reason is simple. COVID-19 has jolted organisations around the world to embrace fast-tracked cloud migrations and digital transformations that can enable their workforces to work remotely. This transition seemingly occurred overnight, and it has amplified vulnerabilities, like the use of unsecured networks and devices. In this environment, users can be tricked, and accounts & devices compromised, making it difficult to always know whether requests to gain access to networks or log into accounts are legitimate. Verifying the identities of any request has become crucial in order to stay protected.
Commenting on how cybersecurity has transformed since the pandemic, Andrew Conway, General Manager, Microsoft Security stated that “for many businesses, the limits of the trust model they had been using, which leaned heavily on company-managed devices, physical access to buildings, and limited remote access to select line-of-business apps, got exposed early in the pandemic. This paradigm shift has been most acute in the limitations of basic username/password authentication”.
Consequently, when asked to identify their best pre-pandemic security investment, most businesses polled in a Microsoft survey chose anti-phishing technology to combat the rise in COVID-19 themed phishing emails. However, during the pandemic, the top security investment made was MFA. That’s because “providing secure remote access to resources, apps, and data” was the top challenge reported by security leaders.
It's a sentiment that’s echoed by Australian authorities. A special alert issued by the Australian Cyber Security Centre (ACSC) in February urged Australians “to strengthen proof of identity protections to help stop cybercriminals gaining unauthorised access to online information and accounts”.
The alert quoted Assistant Minister for Defence, the Hon Andrew Hastie MP, who said cybercriminals are always looking for new ways to steal money and personal data from Australians, and MFA is an effective way to stay protected from these cyber threats.
“Where possible, we are encouraging people to use multi-factor authentication on your online programs and devices for greater protections against cybercrime and cybercriminals. Using multi-factor authentication makes it much harder for cybercriminals to gain access to your online data or personal information. Things that appear to be small or straightforward steps – like multi-factor authentication – can actually make a big difference to increasing Australia’s defences against cybercrime,” the Minister wrote in a separate statement.
The Head of the Australian Cyber Security Centre (ACSC), Abigail Bradshaw, added that the ACSC has published step-by-step guides to help Australians set up MFA on a range of social media, email and message applications and devices.
It’s an important reminder for businesses to adopt and enhance security features like MFA to reduce the risk of identity compromise, with important lessons to share with our teams and networks for more well-informed and strategic discussions on the topic.
MFA can prevent “99.9% of cyber-attacks from breaching accounts”
From Twitter to SolarWinds, we’ve seen many organisations impacted recently by cyber-attacks. Often they start with just one compromised account. Once an attacker gets their foot in the door, they can escalate privileges or gather further intelligence that helps them to compromise more valuable, upstream targets. Here’s where defence measures like MFA come in. By requiring two or more pieces of evidence to prove a person’s identity to gain access to a device, online account or program, MFA makes it more difficult for a cybercriminal to infiltrate an account, even if the correct username and password is known.
Beyond passwords, there are various authentication factors that businesses can adopt to mitigate the risk of identity-based compromise. According to Melanie Maynes, Senior Product Marketing Manager, Microsoft Security, “basic MFA augments passwords with SMS, one-time passwords (OTP), and codes generated by mobile devices. Strong MFA employs high assurance factors such as FIDO security keys and smart cards to authenticate users. Fingerprint scans, facial scans, and other biometrics are secure authentication methods that can simplify sign-in for users”.
The basic idea behind MFA is that it requires multiple strands of information that only legitimate users will likely know and/or possess – ensuring that requests to access an account are indeed valid. It’s little surprise that MFA has been reported to prevent 99.9% of cyber-attacks from breaching accounts.
"You want to be using strong authentication for anyone that accesses your environment," Ann Johnson, Corporate Vice President, Security, Compliance & Identity Business Development, Microsoft, stated in a recent interview. "We know that 99% of hacks have some type of password element, however that password was stolen. Using strong authentication will at least give you a first line of defence against that," she said, adding: "Use multi-factor authentication for 100% of the people that access your environment 100% of the time".
Bolstering email security with MFA
Another reason for businesses to adopt MFA is the crucial role the security measure plays in protecting against email-borne cybercrime – a growing threat that is impacting many organisations, with devastating consequences.
The Australian Competition & Consumer Commission (ACCC) stated in a recent alert that Australian businesses reported over $14 million in losses to Scamwatch last year due to payment redirection scams, AKA business email compromise (BEC) scams. It added that average losses so far in 2021 are more than five times higher compared to average losses in the same period last year.
“Payment redirection scams impact businesses across many industries, including real estate, construction, law, recruitment, and universities,” ACCC Deputy Chair Delia Rickard said.
“An increasing number of reports are coming from sports and community clubs which reported more than $55,000 in losses to payment redirection scams last year. It is likely we will see similar figures this year, with $18,000 already reported lost so far in 2021”.
These scams can take several different forms. In some instances, scammers hack into a legitimate email account and pose as the business, by intercepting legitimate invoices and amending the bank details before releasing emails to the intended recipients. This highlights how critical it is to ensure password security and strong authentication.
“BEC criminals know that email is today’s de facto method of communication. People have been encouraged to “go paperless” by companies, and most feel confident they can spot a spam email. But they also inherently trust those they work with and are more likely to respond to requests from their company’s executives, as well as their trusted suppliers and business partners. A real but compromised account anywhere in the communication stream can lead to disastrous results,” according to Jim DeMarco, Insurance Digital Strategist, Worldwide Financial Services, Microsoft.
With such high stakes involved, it becomes integral to amplify defence measures that can prevent cybercriminals from infiltrating accounts in the first place. MFA is one of the easiest ways to do this, because it provides an extra barrier and layer of security at the log-in stage, eliminating any opportunity for cybercriminals to impersonate executives or intercept legitimate invoices.
“Enabling MFA can be one of the quickest and most impactful ways to protect user identities, and an effective means to reduce the threat and potential impact of BEC. MFA has been available for all Microsoft Office 365 users since 2014, yet many small- to mid-sized business system administrators have not enabled it for their users,” added Demarco.
With email-based cybercrime continuing to grow in speed and sophistication every day, it’s critical that we keep adopting and enhancing our MFA capabilities. In this era of heightened cyber-risk, businesses should also consistently review their email security strategies to ensure they’re doing all that they can to stay safe.
In the case of email security, it's key to remember that no one vendor can stop all threats, so don’t leave your business exposed. If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a third-party cloud email solution like MailGuard to complement Microsoft 365. For more information about how MailGuard can help defend your inboxes, reach out to our team at email@example.com.
Simple cyber-hygiene and best practices like MFA, significantly limit the impact of cyberattacks
Microsoft’s President, Brad Smith, recognised last year’s cyber-attack on SolarWinds as “the largest and most sophisticated attack the world has ever seen”. But as he explained in his U.S. Senate testimony on lessons learnt from the hack earlier this year, implementing security measures like MFA could have limited the damage caused - even with an attack of this scale and complexity.
Talking about the security of U.S. government networks targeted by the attack, he said in his testimony: “What we found in several cases was troubling. Basic cyber hygiene and security best practices were not in place with the regularity and discipline we would expect of federal customers with the agencies’ security profiles. In most cases, multi-factor authentication, least privileged access, and the other requirements to establish a “Zero Trust” environment were not in place. Our experience and data strongly suggest that had these steps been in place, the attacker would have had only limited success in compromising valuable data even after gaining access to agency environments.
Undoubtedly, MFA can go a long way towards stopping cybercriminals breaking into networks. Let’s recognise its importance and ensure our businesses continue “to strengthen proof of identity protections" in order to stay protected in this period of heightened cyber-risk.