What if I told you there’s a cybersecurity solution that “can block over 99.9 percent of account compromise attacks”? Don’t take my word for it. Read this Microsoft article on multi-factor authentication (MFA).
If you’re not familiar with MFA, in short, it is a way to double-check your login to an application or service with a separate, secondary means of authentication—such as biometric recognition or perhaps a one-time code sent by text message or via an app on your phone.
Effectively, this security approach prevents criminals from being able to steal your identity if they obtain your username and password by other means (e.g., spyware or the dark web) because, without the secondary code, login is not possible.
Yet I’ve found that many businesses have not yet implemented this highly effective solution.
In my opinion, MFA should be a mandatory cybersecurity protection. And this is why…
1. Implementing MFA for Microsoft 365 lowers your business risk significantly.
When your business uses MFA with Microsoft 365, it doesn’t matter if the bad guys steal your employees’ passwords. They still can’t access your accounts because a second type of authentication is needed.
Yes, a criminal can steal a phone number by tricking your cell-phone carrier into transferring it to a phone he or she has and thereby obtain MFA text messages. But the major cell-phone carriers are less vulnerable to this approach now because they are implementing better security procedures themselves to prevent fraudulent account transfers.
2. MFA protects your clients, vendors, and business partners.
Cyber threats are never confined to your organization alone. A successful attack can jeopardize a client or other business ties.
I know because I’ve seen it.
Just last year, one of our clients lost tens of thousands of dollars in a spear-phishing scheme. Was our client hacked? No. But their vendor was hacked, allowing cybercriminal(s) to read sensitive email communication, impersonate the vendor, and fraudulently steal funds by representing themselves as my client’s vendor. If you haven’t read the story, go here. Using MFA with Microsoft 365 reduces the likelihood of putting your business partners at risk.
3. Using Microsoft 365 without MFA is dangerous.
Think about this.
If the bad guys hack your Microsoft 365 account, they get access to all of your Microsoft 365 data. This includes sensitive emails and corporate documents. Effectively, they gain entrance to the entirety of your information in the Microsoft cloud. It’s a treasure trove for blackmail and other cybercrimes.
Using Microsoft 365 without MFA is like hiding a key to your house under the front doormat. Even if your door is locked, it would not take a determined criminal long to find that key and rob your house.
4. Implementing MFA with Microsoft 365 isn’t a huge headache.
I also want to point out that employing MFA for Microsoft 365 isn’t a significant headache for your business. It’s not even that costly to implement. Granted, for our team, setting up MFA is a process. But the process is fairly transparent to your team.
Using MFA with Microsoft 365 is relatively painless. At the office, employees won’t need an MFA code every time they use Outlook for email. Also, note that while Microsoft 365 does allow users to stay logged in to the Microsoft 365 web portal for up to 30 days, at Proactive IT, we prefer to disable this behavior because it reintroduces some risk that MFA is designed to eliminate. Fortunately, the Microsoft Authenticator app makes the MFA process simple and convenient.
5. Leaving a phone at home isn’t the end of the world.
Some business leaders may be concerned about how MFA relies on cell phones. What if an employee leaves his or her phone at home? What if a phone is stolen? Will the employee be unable to work because he or she can’t get access?
First, I hope this situation is rare. Most people depend on their phones. It doesn’t take MFA to make a missing cell phone problematic.
Second, your tech team should be able to help. Here’s a personal example. Here at Proactive IT, MFA is mandatory, but I’ve had an employee forget his cell phone. However, we used admin authority to provide access—as we could personally verify his identity at the office.
All that to say, if something happens to an employee’s cell phone, call us. We’ll get your team member working quickly even without his or her phone. And if the phone was stolen, as long as you are following good security practices with the phone, that should not represent a big issue either.
6. Setting up MFA is a one-time, fixed expense.
Here’s something for those of you who crunch numbers: Setting up MFA for Microsoft 365 is a one-time, fixed expense. If you already use Microsoft 365, the only other investment involved is having MFA configured. It’s not an ongoing cost.
A final consideration for using MFA with Microsoft 365
Not all forms of MFA are equal. Below is a list of common options—from the most secure to the least secure:
- Independent key fob or key card. This type of MFA is a separate device from a cell phone and is thus not vulnerable to cell-phone account fraud. The only way to steal the secondary authentication is to actually steal the MFA device itself. It is, however, less convenient than a cell phone.
- Application. A robust MFA app is safer than a phone number. Microsoft has an option called Microsoft Authenticator, an app that uses a QR code. This approach also helps mitigate the risks of cell-phone account fraud.
- Text. If you don’t have an app, this is the option we’d recommend. Once again, the chances of your phone number being stolen are fairly low. So this option is WAY better than no MFA at all.
- Email. Email is relatively risky for MFA. If your email account itself doesn’t have MFA enabled, it can be hacked, which allows the bad guys to easily receive MFA codes. Also, if your computer is compromised via spyware, viewing your emails is relatively easy for the criminal who did it.
How long will your business wait?
I see no reason why any business should wait to implement MFA. It is a fundamental step necessary on the road to a more secure business computing strategy.
If you have concerns related to MFA for Microsoft 365, please call us at 704-464-3075 or email firstname.lastname@example.org.
About Steve Kennen
As an expert in information technology infrastructure management, cybersecurity, and cyber risk management practices for small businesses, Steve spearheads initiatives that keep his clients secure and their business operations running smoothly. His core message is that the details matter.