Why You Should Enable Microsoft 365 Email MFA

Why You Should Enable Microsoft 365 Email MFA

Multi-factor authentication (MFA) is one of the most-effective and least-expensive tools you can use to protect your email and organization data.  Still, many small businesses are reluctant to use it.  Here’s why you should enable Microsoft 365 email MFA as soon as you can.

Single-Factor vs. Multi-Factor Authentication

Single-factor authentication (using only a password) leaves a massive attack vector open in your organization.  That’s because usernames and passwords are surprisingly easy to buy on the Dark Web (or stolen in other ways).  The bad guy only needs your username and password to gain the keys to the kingdom through your email.  This may lead to a significant loss of money or data as well as legal and compliance consequences.

Multi-factor authentication combines information you know (usually your username and password), with something you have (a one-time passcode served up by an authenticator app or a “push” from the authenticating service).  Entering an additional code does add an extra step.  It also makes the cybercriminals job that much harder so maybe they’ll move on and attack someone else.

Why Microsoft 365 Email is a Target

According to Threatpost, Microsoft 365 accounts are a treasure trove for cybercriminals looking for sensitive organization data.  Attackers typically target them using email-based phishing or spearphishing attacks, automated credential stuffing, or guessing attacks. According to researchers, enabling Microsoft 365 email MFA is one of the best ways to prevent this type of unauthorized access.

Your employees are smart, but we’re all human.  Even trained and cautious people make mistakes.  Up to 90% of breaches begin with a phishing email.  And even if you’re diligent, you may become an unwitting victim of someone else’s mistake.

For example, you receive an email from someone you know with a reasonable request and a link that looks okay.  Since the email is from someone you know (with an email address you know is accurate), you click.  What you didn’t know is that your colleague’s (or customer’s, or friend’s) email was taken over by a bad guy after he clicked on a phishing email and they may not even know it.

From there, the bad guys take over the email account, use access to contacts, calendars, and email addresses, and go to town sending out emails that look absolutely real. In the time it takes to recognize the breach and respond, the bad guys could send thousands of emails to unsuspecting people.  This isn’t a random story – we’ve seen it happen in real life to our clients.

One email compromise can cost tens of thousands of dollars in IT mitigation fees, legal fees and identity protection services, not to mention the potential reputational damage.

Your Business Data IS Valuable

Every business has valuable information, even though small business owners often don’t see it.  Do any of these sound familiar?

  • Nobody’s interested in my financial information.
  • My business doesn’t have any intellectual property.
  • We’re small and local, no state secrets here.
  • My staff is smart – they know how spot fake emails and know not to click.

In fact, your employee’s payroll information alone is marketable on the Dark Web. Since your business does have marketable information, help protect it with Microsoft 365 email MFA.

Minor Inconvenience vs. Major Loss

No single tool is fool-proof, but according to SANS Software Institute, 99% of data breaches can be prevented using MFA.

While it may take each user a few minutes to set up Microsoft 365 email MFA, the time and expense you’ll save by avoiding a breach is immeasurable.  If you’re concerned about the inconvenience of set up, think about how to prioritize your user base and account usage, and phase in MFA accordingly.  The minor inconvenience will be time well-spent.

If you’d like to know more about how CRU Solutions can help keep your business safer, contact us.