During the past year, we have seen a significant increase in the number of email phishing scams. Vancouver Island organizations are being targeted and business leaders are now coming to terms with the costly consequences of poor password management coupled with lax cybersecurity practices and policies.
Multi-factor authentication (MFA) simply put is a method by which a user verifies his or her identity by using their login credentials in addition to accessing a passcode from another trusted device. It is a security measure that you can put in place in addition to a username and password, that creates a third step necessary for somebody to login to an account. All too often professionals click on a link, type in their username and password which takes them to a fake website. When this happens, they expose their username and password to someone who is typically on the other side of the world. That person then uses the information to login and conduct more phishing scams or do other nasty things.
81% of the total number of breaches leveraged stolen or weak passwords.
Today, most professionals use their mobile phones as a second step to log in. At Smart Dolphins, we require employees to setup MFA whenever it is available. We a have a rule in place (called Conditional Access) which enforces MFA on most of the cloud apps that we use.
What is Conditional Access
You can use a Conditional Access policy to set rules around MFA to make security more consistent across your organization while making the process easier for your employees.
There are a couple of ways to implement multi-factor. The first way is the old school method which is to have the IT department enable MFA on user accounts on a one-off basis, help people login, set up. This can work however; the IT department may be prone to human errors just as all users are. This can result in a situation where you end up with most employees on MFA, but some people end up not having it leaving cracks in your cybersecurity.
The second, and better way is to have a technical policy in place that covers the whole environment, such as, if MFA isn’t setup, access is denied.
The Conditional Access policy is a service that Microsoft provides as part of one of their subscriptions that allows you to put a “then/if” statement rule in place to secure your cloud accounts. For example, if a user wants to connect to the Microsoft 365 email box, they will need to have MFA enabled if they want to login.
To access this policy, you will need an AD premium P1 license. If you are already using 365, you have an Azure AD account that is running in support of your 365 tenant. P1 is a paid version of Azure AD which gives you the conditional access rules. Typically, the best option would we suggest for small businesses is the Microsoft 365 business premium license. It comes with your Azure P1 subscription, office, email, Teams and all that other good stuff that most business today need. If you employ mobile workers or email-only, cellphone-only employees, you can use a slightly cheaper version called F3 which gives you something similar. Below are some rule examples:
- If an employee is working in the head office, they do not need MFA enabled.
- If an employee is within Canada, they do not need MFA enabled.
- If an employee is on their company-managed computer, they do not need MFA enabled.
Implementing MFA is a user-driven process and not something the IT team can/should ‘just do’ for you. It requires coaching and training at least with a subset of the team.
MFA is best done from a mobile device, but some users may not want to utilize their personal device. Alternatives to personal devices are available.
There is an additional cost to implement MFA properly (P1 license).
With MFA enabled, a hacker will be prevented from accessing your email account even if your password has been compromised. Consider the 80-20 rule which asserts that 80 per cent of the outcomes results from 20 per cent of all causes. With MFA, you put in 20 per cent of the effort, you get 80 per cent of the benefit.
The latest security incidents that we have witnessed could have been prevented with MFA enabled. It is the number one measure that you can implement to protect not just your Microsoft 365 account, but any online account that you access. We urge our clients to use it on your work and personal accounts. MFA will improve your organization’s overall security, protect against password or device theft and it is easy to implement. If you are concerned about email phishing or have questions about enabling MFA at your workplace, reach out to a Dolphin.