Is MFA the Vegetable of Cybersecurity?

Strengthening your company’s cybersecurity posture can be easy, but three trends are causing many companies to miss out. Here’s how to avoid falling victim to these trends – and cyber threats.

istock 1294389873
istock/Natalia Samorodskaia

Like it or not, vegetables are good for us. Chowing down on some broccoli or kale can help us build strong bones, reduce our risk of chronic diseases, and deliver the vitamins our bodies need. And yet, the CDC reports that only 10% of American adults eat enough veggies — even though they likely know they should.[1] Companies are the same when it comes to security. 

Cybercrime is predicted to cost the world $10.5 trillion annually by 2025, up from $3 trillion a decade ago and $6 trillion in 2021.[2] There are 921 password attacks every second — almost double what we saw a year ago. There is one simple action businesses can take to protect against 98% of attacks, but 38% of large companies and 62% of small to mid-size companies don’t do it.[3] In fact, across industries, only 22% of customers using Microsoft Azure Active Directory (Azure AD), Microsoft’s Cloud Identity Solution, had implemented strong identity authentication protection as of December 2021.

Enabling multi-factor authentication (MFA) adds an additional layer of protection, so even if threat actors know an organization’s or employee’s password, they still won’t be able to gain access to their network. So, if strengthening a company’s cybsecurity posture is as easy as enabling MFA, it begs the question: Why won’t companies eat their vegetables?

What’s stopping companies from enabling MFA?

Every enterprise is different. They are made up of different business verticals, have different goals, and operate under different budgets. But despite all those differences, we see a few trends across them all when it comes to the reasons they don’t deploy MFA.

  1. It costs too much

Microsoft provides MFA for free with Azure AD. Even those using the Azure AD Free tier can take advantage of Azure AD MFA by using the security defaults. Security defaults were created to make managing security a little easier. The goal is to ensure that all organizations have at least a basic level of security enabled at no extra cost. Enabling the security defaults delivers Azure AD MFA for all users, blocking off legacy protocols like IMAP4 and POP3, and protects privileged activities like access to the Azure portal.

Those who own Azure AD Premium P1 or P2 can also utilize Conditional Access, which delivers more flexibility in how and when a user is prompted for additional factors.

  1. They think their users will hate it

Our goal is to allow our users to be productive wherever and whenever they are working while still protecting the organization. Conditional Access is our modern approach to MFA. Instead of prompting a user for a second factor every time they authenticate, we look at several different elements to determine if something has changed or is unusual about this user before we prompt them. We look at things like where the user is signing in from, whether their device is healthy, and if there’s any suspicious behavior — for example, if the user typically signs in from France and someone tries to sign in with their credentials from Seattle at the same time, something is definitely wrong. 

Through risk-based Conditional Access, Azure AD automatically responds to threats based on adaptive security policies that security team defines. For example, they can invoke MFA or force a password reset for a sign-in identified as risky. Policies can be based on user location, device platforms and state, applications, or risks.

We also make it easy on the end users by giving them choices on how they want to supply the second factor when they do get a prompt. No fancy equipment is required. Users can choose something as simple as an SMS message or phone call, though we recommend stronger authentication methods like the Microsoft Authenticator App, OATH tokens, or a FIDO2 security key. They can even have multiple devices that use different methods for different environments and have backup devices in case they lose one or forget one at home.

  1. It’s too hard to deploy

Another reason enterprises give for not implementing MFA is that it’s too difficult to deploy. When it comes to protecting Azure AD, MFA doesn’t require a physical server or any kind of software installation. Just configure a Conditional Access policy and go.

We’ve recently added Conditional Access templates to make configuring the policies even easier. Security teams can quickly create a new policy from any of the 14 built-in templates. They help companies provide maximum protection for their users and devices and align with the most commonly used policies. These include things like “Require multifactor authentication for admin” or “Require password change for high-risk users.” Microsoft also offers a list of recommended policies, and organizations can target Conditional Access policies to a specific set of users, apps, or devices to easily deploy different policies at scale.

Ultimately, our end goal is to make it as easy as possible for an enterprise to protect itself, and its users, from ongoing cybersecurity threats. And enabling MFA is just one tool in a security team’s kit. Companies can learn more about the latest cybersecurity threats and what steps they should take with Microsoft Security.    

To learn more about Microsoft Security, visit us here.

[1] https://www.cdc.gov/mmwr/volumes/71/wr/mm7101a1.htm?s_cid=mm7101a1_w 

[2] https://www.okyo.com/resources/articles/cybercrime-economic-heist-of-the-century 

[3] https://www.cpomagazine.com/cyber-security/mfa-and-the-consequences-for-companies-who-dont-use-it/

Related:

Copyright © 2022 IDG Communications, Inc.