365 and Dual Factor Authentication – You need it!
In today’s climate the Internet is riddled with security risks, some that could be world ending for a business. As a Managed Service Provider, we see a variety of them first hand, on a daily basis. With that said we wanted to put the focus on dual factor authentication for Office 365.
What is Dual Factor Authentication?
Having a password is not enough anymore, cyber criminals have evolved, becoming increasingly sophisticated and targeted in their attacks. Dual Factor Authentication log in will require the usual user name and password but then takes it a step further and additionally requires a code that is either generated by an app on your phone or via text message, in most cases. This code changes roughly every 30 seconds, so even if an attacker has your username and password they cannot access your account without that code. The best part of this is Microsoft offers it for FREE.
Email is the number one target! They are counting on your users to make a mistake.
In most cases the attacker will send an email to one of your users (employees) that look very much like an official email from Microsoft. These emails are truly works of art and look very authentic. Within the email it asks a user to put in the user name and password, hence giving the hacker their login credentials. The hacker then logs into their email from a remote location and typically does one, if not more of the following:
- Setup rules in the mailbox (that the user never sees) that automatically forwards a copy of all incoming and outgoing email to an anonymous email box. Imagine if someone saw a copy of every single email you have sent, what type of damage could that do to your organization?
- Send emails to your staff. Let’s say, for instance, they gained access to your CFOs email. The Hacker then sends emails as your CFO asking your bankers for wire transfers, etc.
- Sends an email to a staff member with a virus. Your employee(s) think its valid because its coming from a person of authority (from their actual email address), so that user then opens that file and it immediately encrypts your most valuable data asking for ransom in return. .
Of course, the first line of defense is always staff education, which can help prevent this; however, it’s never 100%. Implementing dual factor authentication on your email could have prevented most of the attacks from occurring.
As you increase security, you always decrease ease of use. It simply comes with the territory. When dual factor is first introduced to your organization your users will probably be very un-happy, annoyed and maybe even furious. Honestly, you are adding another step to their job. Users for the most part don’t like having to put in a long password let alone now an additional step. On the bright side, they only have to put in the token each time a new device is added; However, if they primarily use Outlook web access, they will have to put the code in every single time.
In short, as cumbersome as it may seem, dual factor authentication is simply becoming a necessity to protect your business in today’s day and age.
Please check out the Q&A below for more information.
Q: Will my users have to put in the code every single time they access their email?
A: No, but with one exception. They only have to put the code in one time when accessing from a new device, then they are good to go. The only exception to this is if they are using Outlook Web Access (OWA) they will have to put it in every time they log in.
Q: I already have an anti-spam service; shouldn’t it block these?
A: Nothing is 100% and if they are using a legitimate email address say firstname.lastname@example.org but the display name is “John Smith” the CEO of your company, the email will come through because it technically is a valid address. So, if your user only pays attention to the display name as opposed to email address, they could potentially be putting your organization at risk.
Q: I have a smart firewall; shouldn’t that prevent viruses from coming through?
A: In most cases yes, but again, nothing is 100%. When it comes to protecting your organization, extra security can’t hurt, especially if it’s free!
- Educate your users!!!
- Educate your users on looking at the actual email address as opposed to just the display name.
- If a user ever gets a pop up or something asking for credentials, BEFORE they do anything, have them reach out to your IT Department or Managed Service Provider to make certain it is legitimate. Better safe than sorry!
- We have seen this first hand. On separate occasions we have seen people wire large amounts of money to these criminals, or have their data be held for hundreds of thousands of dollars in ransom and even data completely wiped out!
With the below items in place, you will dramatically reduce your organizations exposure these cyber criminals.
- Complex passwords
- Anti-Virus on every single machine
- Anti-Spam Service
- Smart Next Generation Firewall
- Solid and up to date backups, monitored often.
- Dual-Factor Authentication
- User Education