“When implemented correctly, MFA can make it significantly more difficult for an adversary to steal legitimate credentials to facilitate further malicious activities on a network,” the Australian Cyber Security Centre (ACSC) says. “Due to its effectiveness, multi-factor authentication is one of the Essential Eight from the Strategies to Mitigate Cyber Security Incidents.”
MFA’s deployment is also aligned to CIS 18 – which means two of Australia’s most popular security frameworks both recommend applying this type of protection to user accounts.
Despite this, the actual use of MFA is not yet at its desired level.
A recent survey showed that only 37% of businesses “have a requirement for their people to use two-factor authentication when accessing their network, or for applications they use.”
Frustration at the lack of movement on MFA is, at times, palpable; according to one global survey in mid-2020, 29% of respondents saw their “inability to institute MFA as the biggest threat to their company.”
A post by Microsoft’s Director of Identity Security Alex Weinert late last month encapsulates the threat perfectly: “When we look at hacked accounts, more than 99.9% don’t have MFA, making them vulnerable to password spray, phishing, and password reuse,” Weinert wrote.
This should be a wake-up call for all organisations. An organisation without MFA is putting itself, its accounts, and the permissions and data that sits behind those logins, at considerable risk of compromise.
Older IMAP, SMTP and POP3-based email services used industry-standard authentication for the time: a simple username and password combo. The problem is, that these older email services don’t understand nor respect or use MFA, regardless of configuration.
For Microsoft-hosted services, this is in the process of changing. Microsoft already changed the default configuration for a new Exchange Online customer in 2019 to block legacy authentication for everything but SMTP. Microsoft also announced that from Oct 1 2022, it would begin to disable legacy authentication for some customers, and at some point, will disable it across the board.
Microsoft is also initiating MFA challenges on its cloud accounts too.
So how should you deal with these changes?
A staged approach is most likely to succeed in this instance. This might include initially limiting legacy username-password authentication to specific applications or users while enforcing modern authentication across the organisation’s balance. This outcome can be achieved via Microsoft Conditional access policies.
Using a staged approach allows organisations to make the changes required to achieve the best security standard for modern authentication, ensuring that they get the full security benefit of enforcing and deploying MFA.
While organisations are aware of the threat and the extra risk burden they shoulder by not enabling MFA on user accounts, they may not be in a position to act on it.
“Unfortunately, many companies lack a team of security experts to address these issues, and often have no IT team at all,” Weinert writes. “So, even though the industry is clear on the importance of MFA, there’s no one to hear or execute on these security mandates. These organisations are often the most vulnerable and experience the most compromised accounts.”
Understanding where to look for and engage third-party assistance is a requisite step to progress.
Come and talk with Tecala to better understand this staged approach and to assess your current security risks. Only through understanding your risk profile and a clear strategic security plan can you accurately determine what is required to ensure your security within this ever-changing business and global environment.
Our assessment follows 3 Steps:
Empower your people, while protecting your business-critical data, and your hard-earned reputation.
The 3 Game-Changing management and technology initiatives that will drive your continuous innovation and growth.
