Office 365 comes with significant security concerns, especially as organisations store more and more sensitive and business-critical data there. Take a look below to see some of the key highlights from SecureAuth’s Get the Access Control You Need for Office 365 Prevent Attackers from Using Stolen Credentials to Compromise Your Cloud Data report.
OFFICE 365: POPULAR WITH USERS — AND ATTACKERS
Office 365 is the most popular and used service in the world, with some 70 million users and growing. An analysis of more than 20,000 cloud based services found that 58.4% of sensitive data in the cloud is stored in Microsoft Office documents.
OFFICE 365 DATA UNDER SIEGE
71.4% of organisations have at least one compromised account
57.1% of organisations have at least one insider threat
45.9% of organisations have at least one privileged user threat
ATTACKERS ARE WALKING IN YOUR FRONT DOOR WITH LEGITIMATE CREDENTIALS.
One of the most common attack vectors putting your Office 365 at risk is stolen credentials. The Skyhigh Networks study reports that more than three quarters of Office 365 environments experienced at least one compromised account each month, and the 2017 Verizon Data Breach Investigations Report says that 81 percent of attacks on organisations leveraged weak, default, or stolen credentials.
NEARLY HALF OF ASSETS ARE AT RISK
Organisations and analysts alike have recognized for some time that the password alone is no longer eﬀective at protecting resources. Nevertheless, a survey by Wakefeld Research that SecureAuth recently commissioned found that, on average, companies are protecting only 56% of their assets with either 2FA or MFA. That means nearly half of assets are protected only by passwords, or by nothing at all!
TWO-FACTOR: BETTER THAN PASSWORDS, BUT NOT NEARLY GOOD ENOUGH
Adding a second authentication factor is a good start, but two-factor authentication (2FA) is not as secure as many organisations think.
HOW ATTACKERS ARE GETTING AROUND THE MOST POPULAR METHODS OF 2FA
|2FA METHOD||WHY IT’S NOT SECURE|
|OTP via SMS||Attackers have compromised SMS multiple times and the National Institute of Standards and Technology (NIST) no longer recommending 2FA with SMS.|
|Push-to-accept||Users have become conditioned to routinely accept without being in an authentication process, simply to remove the notification from their screen.|
|Answers can be guessed or easily obtained though social media, even if you’re using credit bureau or LexisNexis services.|
|Hard tokens||Well documented cases existed where hardware tokens have been compromised in numerous ways.|
2FA IS DISRUPTIVE
People don’t like having to carry hard tokens and may not have them available when they need them (and of course they are expensive for the organisation as well). Soft tokens are a bit more convenient — unless your phone is unavailable. Users can even get themselves locked out trying to remember their security answer. As a result, legitimate logons get blocked, and your vital business operations suﬀer. Even when users aren’t denied access, constantly having to provide a second factor hurts their productivity.
DETECT AND BLOCK ATTACKERS WITH ADAPTIVE ACCESS CONTROL – ADAPTIVE AUTHENTICATION: MORE SECURE THAN TWO-FACTOR ALONE
- Threat Service — IP reputation data (blacklists of IP addresses) can be used to deny or step up authentication. For example, your organisation might choose to deny authentication if the IP address of a user’s machine is part of the Tor anonymity network or a known botnet, or an IP/subnet associated with known bad actors such as cyber-criminals, hacktivists, or particular nation states.
- Phone Number Fraud Prevention — Attackers often impersonate legitimate user’s phone number attempting to trick authentication safeguard and by pass phone-based authentications. SecureAuth can block access from phones numbers coming from carriers in countries where they have no employees, partners, or customers. SecureAuth can also block by phone type (landline, VoiP, mobile, toll-free) and if the phone number has recently been ported.
- Geo-Location — If an access request is coming from a location where the organisation has no known employees, contractors, business partners, or customers, SecureAuth can deny the request or automatically step up to multi-factor authentication.
DELIVER A SEAMLESS USER EXPERIENCE
What’s more, SecureAuth’s strong adaptive authentication actually streamlines the user experience. When a user attempts to authenticate, the solution evaluates the risk of that attempt based on the set of factors you choose. Most authentication attempts will be legitimate, and they will be approved without the user even being aware that the risk checks took place.
REDUCE SECURITY RISK IN USING LEGACY OFFICE 365 CLIENTS
In addition to providing the most comprehensive protection for browser access to Office 365 covered above, SecureAuth also provides adaptive security for all Office 365 clients – including legacy Microsoft Outlook and third-party clients, such as Apple Mail. Although recently released
Office 365 clients support Multi-Factor Authentication and Adaptive Authentication, organisations whose users access Office 365 via older Outlook or third-party clients remain at high risk. Most older Office 365 clients support only username and password authentication, and even the popular two-factor methods behind newer clients have been proven to have significant ﬂaws.
Adaptive MFA means you can dispense with passwords altogether, and thereby eliminate the possibility of passwords being stolen and used by attackers. SecureAuth’s recent survey reports that 83% of IT decision makers predict that their organisations will be passwordless within five years.
With SecureAuth, you can be ahead of the curve, enjoying the security of dozens of risk checks whilst silently streamlining the workﬂows of your legitimate users.
In addition to the security and convenience of adaptive MFA, SecureAuth oﬀers Single Sign-on (SSO), so users can authenticate just once to gain access to multiple systems. Behind the scenes, SecureAuth will continue watching and will challenge or block the user if risk factors emerge
that suggest something is amiss. SecureAuth also provides self-service options that enable users to enrol their devices, reset their own passwords, unlock their own accounts, and update their personal information, which can dramatically improve user satisfaction and productivity while slashing your helpdesk workload.
To protect the increasing amounts of valuable and sensitive data you store in Office 365, you need adaptive multi-factor authentication. With SecureAuth, you get both strong security and a seamless user experience.