One of the biggest lessons learned from the 2021 Colonial Pipeline breach is that the VPN account used to launch the nearly $5 million ransomware attack did not use multi-factor authentication (MFA). Usernames and passwords are not enough to protect key systems like email, remote access and banking these days. Multi-factor authentication, sometimes referred to as “something you know, something you have, or something you are,” is a cybersecurity measure that allows you to use two types of credentials when logging into a system.
According to Microsoft’s 2022 inaugural edition of “Cyber Signals,” MFA continues to have low adoption, despite the proven effectiveness of requiring multiple forms of authentication at log-in. The report states that only 22% of Azure Active Directory (AD) identities utilize strong authentication in the form of MFA. That’s 78% of Azure AD identities missing effective authentication controls!
Build a Stronger Defense Among Cyber Controls
Stinnett’s Data Privacy and Cybersecurity team has performed numerous Microsoft 365 reviews and in almost every instance, discovered accounts that were not protected with MFA. The cybersecurity bell curve below shows that basic security hygiene still protects against 98% of attacks and MFA is at the heart of the curve.
Cybersecurity Insurance Now Requires MFA
Due to the number of skyrocketing cyber incidents in recent years, cybersecurity insurance providers have mandated that MFA must be in place as a base requirement to obtain coverage. They will likely ask you to attest to the following:
- Multi-factor authentication is required for all employees when accessing e-mail through a website or cloud-based service.
- Multi-factor authentication is required for all remote access to the network provided to employees, contractors and third-party service providers.
- In addition to remote access, multi-factor authentication is required for the following, including such access provided to third-party service providers:
- All internal & remote admin access to directory services (active directory, LDAP, etc.)
- All internal and remote admin access to network backup environments
- All internal and remote admin access to network infrastructure (firewalls, routers, switches, etc.)
- All internal and remote admin access to the organization’s endpoints/servers
Stinnett Fast Fact: Cybersecurity Ventures predicts that global cybercrime costs will reach $10.5 trillion in 2025.
Streamline the Login Process
Tired of remembering every password for every account? Using a single sign-on solution avoids creating a password for every application, and MFA makes signing in easier while enabling secure remote access to your organization’s network.
“The need to enforce MFA adoption or go passwordless cannot be overstated, because the simplicity and low cost of identity-focused attacks make them convenient and effective for actors. While MFA is not the only identity and access management tool organizations should use, it can provide a powerful deterrent to attacks.” – 2022 Cyber Signals report
Ready to make it difficult for bad actors to use stolen or phished credentials? Add MFA as an extra layer of cybersecurity to make accounts harder to access. With the rise in employees working from home, businesses must have an effective strategy in place.
Contact us to discover how Stinnett can help you implement a powerful cyber defense with MFA and single sign-on. Our team can lead the project from implementation to end-user training.
Stinnett & Associates is not a CPA firm.