In what is being labelled the biggest data breach of all time, COMB or the Compilation of Many Breaches, was leaked to an online forum in February of this year (2021). Containing more than 3.2 billion unique pairs of cleartext emails and passwords, the data is a combination of smaller data breaches that have occurred over the past several years.
Considering there are around 4.7 billion users of the internet, 3.2 billion is a pretty substantial portion. If worried that employee emails may have been caught up in this or other data breaches, the website haveibeenpwned can be used to verify if that is indeed the case. Simply enter an email address to check.
Some of the companies whose users data was caught up in the COMB breach, including Netflix, Google, Hotmail and more, claim that they were not directly hacked, but that it is more likely their users passwords and emails were stolen or even guessed. This brings up the topic of passwords and how effective they actually are as a security measure.
With Cybercrime more prevalent than ever – a recent survey showing a 600% rise, with over 46% of global businesses having reported at least one cyber-attack since the shift to remote working – it is imperative that businesses protect their valuable information by implementing stronger security protocols around the use of passwords. In March of 2020, Microsoft engineers said that 99.9% of the account compromise incidents they deal with could have been blocked by a multi-factor authentication (MFA) solution.
What is MFA?
Multi-factor authentication (MFA) is an electronic authentication method that requires the user to provide two or more forms of identity verification in order to access a resource, online account, network or application.
MFA comprises of three main types of additional information:
- Something you know. For example, a password, an answer to a security question or a pin.
- Something you have. This could be a smartcard, a key or a one-time password – usually sent to a secondary device.
- Something you are. Fingerprint, facial or voice recognition being the most common.
Another part of MFA is Adaptive Authentication, which is a risk based authentication. This may only be required in what is deemed, suspicious circumstances such as attempting to login from a device that is not recognised or has not been verified or from an unfamiliar location.
Why is multi-factor authentication important?
Traditional passwords are simply not secure enough on their own. Introducing an MFA policy decreases the chance of a successful security breach and increases confidence within an organisation. Here are some of the main reasons to implement MFA:
Prevents password and identity theft
With the level of phishing emails increasing and potential for malware being installed onto devices and networks, the danger of passwords being stolen is extremely high. In fact, 57% of Irish people admit to opening emails from people they don’t know. With MFA, even if a password is stolen, a hacker will be unable to gain access due to the additional steps required.
Protects against weak passwords
59% of organisations rely on human memory to manage passwords while 75% of Irish people surveyed use the same password across different sites and online services. Chances are if a hacker gains access to a password for one platform, they will in fact have the login credentials for multiple platforms. The use of MFA strengthens security even if the password is particularly weak.
Reduces threat from use of personal devices
2020 has seen many employees forced to work from home, in many cases using personal devices and public home networks for work purposes. These often do not have effective protections and security software installed, making them more likely to be hacked. MFA greatly reduces the chance of valuable information being accessed through the hacking of a personal device.
Reinforces other security measures
Anti-virus software and firewalls are effectively made redundant if employees’ passwords are stolen. If a hacker manages to gain access to a network through a stolen password, once inside, they can bypass and even disable firewalls so that they can wreak havoc on the company systems and steal more information. By enabling MFA, it reinforces additional security rather than weakening it.
Increase employee productivity
The reason many use the same password is purely due to ease of use. It is much easier to remember one password than multiple. Most people will have gone through the “forgot your password” steps more than once which takes time and attention away from work and leads to distraction while going through the steps and creating a new password. MFA means that there are multiple methods to choose from to log in so the user can pick the most suitable, saving time in the long run.
Though not a legal requirement as such, more and more organisations are insisting on MFA as a compliance measure in order to conduct business. If a company holds sensitive data on customers for instance, it instils greater confidence that their data is safe when MFA is being used. The same can be said when working with suppliers or third party vendors. There are many doors through which information can be accessed and MFA can protect against such infiltration.
How to set up MFA for Office 365?
Microsoft 365 includes a MFA feature for its users. If purchased recently, this should automatically be defaulted to ‘On’. If not, there are a few simple steps to take to enable MFA.
Note: You must be a Global admin to manage MFA and if you have legacy per-user MFA turned on, this needs to be turned off.
- Go to the admin center at https://admin.microsoft.com.
- Select Show All, then choose the Azure Active Directory Admin Center.
- Select Azure Active Directory, Properties, Manage Security defaults.
- Under Enable Security defaults, select Yes and then Save.
Upon next login, users will be prompted to set up the Microsoft Authenticator app on their phones for a second form of authentication.
MFA solutions are inexpensive and easy to set up and add a strong layer of protection. It’s not so much a case of why an organisation needs to use it, but a question of why it is not already being used.
If you need assistance with your cyber security or with implementing multi factor authentication across your organisation, get in touch with our team at +353 (0)1 8183272 or email us at firstname.lastname@example.org.