PSA! O365 Admins, Stop What You Are Doing and Enable MFA!

Over the past few weeks, Microsoft’s Alex Weinert (@Alex_T_Weinert) has penned a couple of excellent blogs on protecting passwords that need to be read/digested by O365 administrators and security departments.

In his first blog post, “Your Pa$$word doesn’t matter” he goes into detail why the complexity of the password doesn’t matter and that services such as MFA have a bigger bang for the buck.  Alex’s opening paragraph in this post should be enough of an enticement to keep you reading.

Every week I have at least one conversation with a security decision maker explaining why a lot of the hyperbole about passwords – “never use a password that has ever been seen in a breach,” “use really long passwords”, “passphrases-will-save-us”, and so on – is inconsistent with our research and with the reality our team sees as we defend against 100s of millions of password-based attacks every day. Focusing on password rules, rather than things that can really help – like multi-factor authentication (MFA), or great threat detection – is just a distraction.

This week’s post, All your creds are belong to us!, from Alex has the most staggering statistic given how prevalent data breaches have become in today’s world.  You may want to make sure you are sitting down when you read this.

When we evaluate all the tokens issued with MFA claims, we see that less than 10% of users use MFA per month in our enterprise accounts (and that includes on premises and third party MFA). Until MFA is more broadly adopted, there is little reason for attackers to evolve. But MFA attacks do exist, and in this blog we’ll confront them.

I am still trying to wrap my head around this stat as it is mind-boggling.

O365/IT/Security administrators, let’s try to increase this number over the next several months by taking the guidance provided in the link below as the best practices for securing O365.

Office 365 security roadmap – Top priorities for the first 30 days, 90 days, and beyond

Once you have begun implementing the above guidance, make sure you check out the Microsoft Secure Score in your tenant as it should go up showing that improvements have been made.