Cybersecurity threats to Microsoft 365 accounts can be reduced by 99.9% through one simple, free solution: multi-factor authentication. Only about one-third of users currently implement this powerful security measure!
Adding a second verification step beyond your password protects against phishing attempts, password spray attacks, and unauthorized access - all without disrupting your daily workflow. You can strengthen your Microsoft 365 account now instead of waiting for upcoming mandatory changes. This guide shows you how to set up and use multi-factor authentication to keep your data safe.
Microsoft 365's Most Powerful Security Shield
Multi-factor authentication is one of the most effective actions you can take to help prevent unauthorized access to your Microsoft 365 accounts. It requires an additional piece of information to log into your account beyond just your password. This is generally referred to as something you know (your password) and something you have (a code that comes through a multi-factor authentication app).
The Effectiveness of Multi-Factor Authentication
Various reports show that 99.9% of cybersecurity risk for Microsoft 365 can be eliminated by introducing multi-factor authentication. The great news is that it's free! In 2019, Microsoft enabled "Security Defaults" so that even if you didn't have the more expensive premium licensing, you were still eligible to get multi-factor authentication. However, when they first started that years ago, only about 1% of accounts were using it, and it went up to about 2%. Now it's up to about a third of accounts.
Considering multi-factor authentication can eliminate 99.9% of your risk, it's surprising that only about a third of people are using it. At Ekaru, we're working with clients to increase education and make sure they're following the best recommendations.
How Multi-Factor Authentication Works
The "something you know" is a password, but if your password is easy to guess or you're reusing passwords, criminals can easily gain access to your account. The "something you have" would be a mobile device with an app like Microsoft Authenticator installed.
You might be wondering, "Do I have to enter a six-digit code every single time I want to send or read an email?" That's not how it works! Multi-factor authentication looks for unusual behavior, such as when you travel. Consider this example:
- Credit card fraud protection works similarly. If you're going to your normal gas station and buying the normal things at the grocery store with your credit card, you're not going to get a fraud alert. But if you suddenly travel to the other side of the country and buy a sofa, the credit card company knows you don't live there, and you're going to get a fraud alert for that.
While multi-factor authentication does introduce a little bit of inconvenience, it's not much. You'll notice it when you're traveling and be prompted more often, but it's certainly not every single time you log in.
Overcoming Resistance to Change
Initially, there's some pushback to introducing multi-factor authentication because people don't know all the facts about it, but it's free and greatly improves your security posture.
Microsoft is making changes to their security defaults in the coming weeks. Any new accounts set up on Microsoft 365 will have multi-factor authentication in place, and Microsoft is no longer giving a 14-day grace period because that's 14 days of risk. Microsoft is doing this through the concept of secure by default.
Common Cybersecurity Threats Blocked by MFA
When you enable multi-factor authentication (MFA) in Microsoft 365, you can protect your organization from a wide range of cybersecurity threats. Many of these threats originate from email-based attacks.
Email-Based Attacks
Phishing campaigns, business email compromise tactics, and social engineering tactics often arrive through email. If you accidentally reveal your password by falling for one of these schemes, your account will remain safe as long as you don't also reveal your MFA method.
Password Spray Attacks
Cyber criminals frequently employ password spray attacks, trying a large number of common passwords against your account in hopes of gaining access. After a major data breach, the most popular passwords often get published. "123456" and "password" consistently rank among the world's most popular passwords, and attackers may try the top 100 passwords on these lists against your account.
Other Threats Blocked by MFA
MFA also protects against:
- Specific vulnerabilities in software and systems
- Risks associated with remote work arrangements
- Brute force attacks that systematically try many passwords
- Use of stolen credentials obtained through various methods
Real-World Scenario
Picture this: an unexpected email lands in your inbox, prompting you to log in to your Microsoft 365 account. Without thinking, you click the link and enter your password. A moment later, you realize the email might be a phishing attempt. With MFA enabled, you have an extra layer of protection. Even if the attacker has your password, they won't be able to access your account without your second authentication factor.
The Importance of MFA
By requiring an additional form of verification beyond a password, MFA makes it significantly more difficult for cybercriminals to breach your Microsoft 365 account. It protects against a wide range of common tactics employed by attackers seeking to gain unauthorized access to your data and systems. Implementing MFA is a crucial step in safeguarding your organization's digital assets.
Simple Steps for Microsoft 365 Protection
When it comes to cybersecurity in Microsoft 365, one of the most important steps you can take is enabling multi-factor authentication (MFA).
Upcoming Changes to Security Defaults
Starting in December, Microsoft will be making changes to how security defaults are handled for new accounts. They'll be removing the two-week grace period, as it opens up a significant vulnerability for brand new accounts. Over the course of early 2025, Microsoft will be introducing these changes to all tenants.
Getting Ahead of the Changes
At eCaro, we want to help you get ahead of this by setting up MFA and ensuring you are comfortable using it. This proactive approach will prevent any last-minute surprises that could occur at inopportune times, you know, like when you're about to go on vacation.
Setting Up Multi-Factor Authentication
When setting up MFA, you'll have the option to choose more than one type of authentication method. Here are a few options:
- Voice calls
- Text messages
- Microsoft Authenticator app (Recommended - And its FREE!)
While voice calls and text messages are available as MFA choices, we strongly recommend downloading the free Microsoft Authenticator app and using that instead. When challenged for MFA, the app will display a code with a specific number that you must match on your device. This significantly enhances the security of your account.
Why the Microsoft Authenticator App is the Best Choice
Although text messages and voice calls can be used as backup methods, they are not the best options since someone could potentially gain access to your phone. The Microsoft Authenticator app is the most secure choice, and guess what? It's completely free. You don't need premium licensing to use MFA within Microsoft, and the app itself is also free.
By taking these simple steps to enable MFA and using the Microsoft Authenticator app, you can greatly enhance the cybersecurity of your Microsoft 365 account. Don't wait until the last minute – start setting up MFA now to ensure a smooth transition and a more secure digital environment.
Cybersecurity Benefits for Growing Businesses
The number one reason to introduce multi-factor authentication for Microsoft 365 security is that it dramatically improves your security position. Microsoft estimates that 99.9% of your risk could be reduced by just this one simple free change to your account. There are a lot of other factors that go into cybersecurity, and one thing that we are seeing more and more questions about is the idea of cyber insurance.
Cyber Insurance Requirements
One of the first questions you will see on an application to see if you qualify for cyber insurance is if you use multi-factor authentication. Insurance companies ask these questions for a reason. They are the ones who see all the breaches and all the results, so they know who is at risk and who is not at risk. We strongly advise that all businesses maintain cyber insurance. With insurance, you can transfer some of the financial risk to an insurance company. You can accept risk, mitigate the risk that we are asking you to mitigate with Microsoft 365, and also transfer some of that risk to an insurance company. However, it is extremely important that you answer all the questions honestly.
Regulatory Standards
We are seeing more and more regulatory standards come into effect:
- HIPAA has been regulating the healthcare industry for many years.
- CMMC, the cybersecurity maturity model, is starting to impact everybody in the defense industrial base. Even if you make a tiny part that is part of a bigger defense contract, your organization will have to follow these standards.
It is a terrible day if your account ever gets hacked. We want to work with folks to get the right safeguards in place early, so you are not caught by surprise when Microsoft suddenly flips a switch, requires you to do it, and you do not know what it is. You have a little time now. The sooner you get this done, the better.
Working with Local Businesses
When working with local businesses, such as a local accounting office, we go through user by user and talk about the Microsoft Authenticator app. We show folks how to download it from the iPhone store or Google store. It is free. We demonstrate how to set it up. The screen will walk you right through the process. You could do it on your own as well. It prompts you to scan a code and guides you step by step. It is very self-explanatory.
On day-to-day use, if you are just using your regular laptop at your work location, you will forget that you even have multi-factor authentication. But when you travel, you may be prompted to enter a code. We find that maybe there is one user out of the group that struggles a little bit more or has a different type of phone. If you do not want to use your phone for business use, you can also get a physical token to do the multi-factor authentication. However, most people just use the Microsoft Authenticator app.
Support and Assistance
Working with businesses one by one, we will help anybody who is having trouble getting the app, authenticating, or has questions about it. We are here to answer all those questions. Just last week, we worked with around 10 different businesses setting this up. It is very easy to do. People get the hang of it. Initially, there is some resistance, but once the light bulb goes off that you can reduce 99.9% of your risk by doing something that is free, most people will get the message and just go ahead and turn on the multi-factor authentication.
This is secure by design, secure by default. These are major initiatives that all of us in the cybersecurity space are talking about. We are here to help. It is not going to be that hard. It may sound daunting at first, but it really just takes a couple of minutes to set up.
Take Control of Your Microsoft 365 Security with Expert Support
Your Microsoft 365 security improves with one free change that blocks 99.9% of threats. Our team makes multi-factor authentication setup clear and simple for your organization.
We help your staff learn the benefits, answer questions, and build confidence in using this protection. From Microsoft Authenticator app guidance to security reviews and planning for upcoming changes, our experts stand ready to assist. Contact us today to add this proven protection to your Microsoft 365 accounts and keep your business data secure.
About the author:
Ann Westerheim, PhD is the Founder and President of Ekaru, a Technology Service Provider of cybersecurity and IT services for small and medium businesses in the greater Boston area. Ann is an accomplished technology innovator and leader with three engineering degrees from MIT. She has twenty years of high tech experience in research, advanced development, product development, and as an entrepreneur. Her career has spanned a vast range of technology endeavors including research in thin film semiconductors and superconductors, microprocessor fabrication, development of early Internet medical applications, and now focusing on the application of technology in business. She has an avid focus on the "last mile" of technology and decreasing the digital divide.
https://www.linkedin.com/in/annwesterheim/