Multi-Factor Authentication is here to stay
This summer Microsoft announced that they now require all Cloud Service Providers using Azure or MS Office 365 to enable Multi-Factor Authentication. Given the current cybersecurity climate, it seems like a sensible decision.
Multi-Factor Authentication (MFA) adds an extra level of security for sites and apps where previously a username and password may have been sufficient. It works in much the same way that modern laptops use fingerprint recognition or the latest phones have face recognition. You may have already encountered MFA when using online banking or PayPal where you receive a text with a number that you need to input before a transaction has been completed. The chip and pin on your bankcard use 2 Factor Authentication (2FA) and, if the card and pin get into the wrong hands, can provide a thief with full access to your bank account. Adding an extra level of security, such as a text with a unique number, reduces the risk of fraud.
The reason that Microsoft have taken this decision is that it is now commonly accepted that traditional logins with just a username and password are unsafe. Password databases are regularly bought and sold on the dark web, providing hackers and cyber criminals access to sensitive information for only a few dollars (if you haven’t already you should take a look at our blog about the dark web).
Microsoft’s announcement makes it the perfect opportunity for you to reassess your current security settings. We always recommend that our clients complete an annual audit in line with GDPR requirements.
Remember to educate your team on password hygiene, ensuring that they aren’t writing their passwords down in one ‘safe’ place and that their logins aren’t easily discoverable. For example, how easy is it to discover children’s or pet’s names, wedding anniversaries and other important information by quickly scrolling through social media?
It’s also important to make sure that you use unique passwords for each account. If you use the same password for multiple accounts, one phishing email or hack can provide access to more than just the account that has been hacked.
Check that only authorised users have access to your system. Have you deleted all of your ex-team members? Do the correct staff members have access to your data?
You should always think about access to your systems in the same way that you do to access to your buildings. When a staff member leaves you would expect them to give their keys back, so you also need to take back their logins.
During your audit it may also be worth implementing Roles Based Access Control (RBAC). This approach identifies who should have privileges to different files or areas of your IT infrastructure. So, for example, a junior member of staff will have less access than someone more senior in your company.
Train your team
It’s always advisable to keep your team up to date on the latest cyber-security news. Remind them about phishing emails and how easy it is to lose vital information at the click of a button. As the old adage goes “forearmed is forewarned”.