Data Privacy Trends To Expect In 2021

/in /by

In 2020, organizations faced some of the most drastic challenges to a business environment in the digital age. Companies were forced to quickly adapt, cultivate resiliency and creativity, beside focusing on meeting their customers’ expectations.

According to a study conducted by Gartner, just 12% of more than 1,500 respondents believe their businesses were prepared to face the disruption last year, but with tech adoption accelerating as a result, more businesses will turn to digital operations, products, and ecosystems to stay profitable and relevant.

Data privacy has become the #1 expectation for every consumer across the globe, growing into something more than a set of rules and regulations driven by compliance standards, but rather one of the main pillars of brand recognition and customer loyalty.

With digital adoption, more and more sensitive customer and business data are being generated, as a result, so the ramifications for data privacy can only rise.

The Context

The COVID-19 pandemic has had a major impact on data privacy and cybersecurity mainly because of the social distancing that has changed both our personal and professional lives.

One of the consequences of this pandemic was that more and more consumers opted out of in-person shopping, relying heavily on the digital marketplace. So, organizations will have everything to gain by ensuring proper data protection to maintain customer loyalty.

Nowadays, more healthcare data is being collected than before, in many cases by organizations who never have previously collected this type of information. Organizations are collecting health data to support public health outcomes, causing growing concerns in how this data is being used and hold.

More Privacy Laws

Most websites these days, and this is one of the first things you are likely to see when loading a website, will notify you about data cookies, aspects like how the website is collecting your data, what it intends to do with it, for how long your data is hold, etc. Also, you are given the option to accept or reject these data usage terms.

Those terms are a direct consequence of the EU’s General Data Protection Regulation (GDPR), which although drafted in the European Union, it imposes obligations to every organization in case it targets or collects data from people residing in EU countries.

So, expect far-reaching data privacy legislation like the GDPR and the California Consumer Privacy Act (CCPA) to come into force in more regions this year, responding to an ever-greater need of privacy protection.

Gartner data suggests that by 2023, 65% of the world’s population will have their personal data covered under some form of modern privacy regulation, up from 10% in 2020.

Data Privacy Automation

With new privacy laws coming into force, different legislation, and compliance procedures in different territories, will make it difficult for companies to keep track of which laws they must adhere to.

This has led developers to create software to automate data privacy. These can range from management platforms to handle privacy requests to filters and preference settings tools.

In 2021, we can only expect the trend of data privacy automation to become more widespread, with more software solutions being developed and more organizations purchasing automated data privacy and management solutions.

Better User Awareness

Cyber hygiene advocates have repeatedly highlighted how end users are often the weakest link in the chain allowing, either by accident or with intent, data security breaches at their organizations. This has further aggravated in 2020 as employees became familiar with the work-from-home processes.

Notorious cyberattacks such as the ones against SolarWinds and FireEye, also the Cambridge Analytica – Facebook scandal have brought the issue of data privacy to the public’s attention on a scale that has not been seen before.

Users are now actively concerned about how their data is being captured, how it is used and have even shown that they are willing to leave extremely popular platforms like WhatsApp if they feel their data is not safe.

Such data awareness is good for the user, but it could be bad for some organizations that are not transparent about which third parties are able to access sensitive data or refuse to give clients full control over what cookies they can enable.

Users are constantly discovering how much information is collected about them (spending habits, IPs, usernames, emails, etc.) how that data is used, and how cyberattacks put that information at risk.

More Data Security & Privacy Jobs

With the long-term changes brought on by the Covid-19 pandemic, along with new data privacy regulations, organizations will probably face several security challenges, driving the demand for cybersecurity talent even more.

The pandemic has changed the workplace, forcing companies to quickly adapt. The rush to support a remote workforce has led many organizations to take a leap of faith into the cloud and are now facing new security challenges having to support hybrid work environments.

Conclusion

While not all organizations are required to comply to certain data protection standards such as HIPAA, or data privacy laws like the CCPA, they should still follow data protection competencies as it is essential for them to build and maintain an environment of trust.

The Future of Cybersecurity

/in , /by

The massive SolarWinds breach made it crystal clear that the cybersecurity threat only gets worse with time because the tools are more sophisticated, and the stakes are higher.

NOTE! According to Forrester, businesses are taking cybersecurity more seriously as enterprises are predicted to spend $12.6B on cloud security tools only, by 2023, up from $5.6B in 2018. The global cybersecurity market is estimated to grow to $270B by 2026, up from $173B in 2020.

Here is what to expect for the future of cybersecurity in the next 3-5 years.

Deep Fakes & CEO Frauds

We already know that complex voice generators can trick security software used to verify identity. A slow but steady rise in audio deep fakes that are being used in subversive activities (like CEO frauds) have also been reported. Given enough material, AI programs can learn and generate convincing fake pictures and videos that can be used to compromise organizations or individuals.

Over the next three to five years, we can expect for this to expand to video deep fakes. These tampered videos can be extremely disruptive to organizations especially from a PR angle. For instance, imagine your CEO saying something controversial that might impact how your organization is perceived.

By the time you make public that the video is fake, the damage done to your company’s reputation could be irreversible.

Protection from these fraudulent attempts will require security software to embrace AI and Machine Learning to help analyze and identify what is real and prevent leaking what is fake before it becomes an external threat.

Supply Chain Attacks

In the SolarWinds breach, the attackers were able to compromise the update process of a widely used piece of software: the Orion Platform. This was a supply chain attack – a devastating type of cyber aggression. Basically, by compromising the vendor, hackers may get access to all the vendor’s customers.

Any software company is a potential target. When it comes to hackers, especially state actors, they have the resources and skill sets necessary to orchestrate supply chain attacks, being able to penetrate even the most resourceful organizations.

Cybersecurity vendors can fall victim to such complex attacks too. In the SolarWinds case, beside about 100 organizations and 9 government agencies, another targeted company was FireEye, one of the most popular cybersecurity vendors in the industry. FireEye representatives said the attackers did not get into customer-facing systems, as they only got access to penetration tools used for security testing. But the fact that a company like FireEye got hit is disturbing because if these vendors are potentially vulnerable, most likely every vendor is.

In November 2020, another leading cyber security company, Sophos, suffered a data breach that exposed private customer information.

NOTE! Last year, security vendor ImmuniWeb revealed that 97% of the world’s top 400 cybersecurity companies had data leaks or other security incidents exposed on the dark web – and that 91 companies had exploitable website security vulnerabilities.

Supply chain attacks do not represent a new method. In 2011, RSA Security admitted that its SecurID tokens were hacked, exposing some of their customers including aerospace, arms, defense, security, and advanced technologies company – Lockheed Martin.

5G Networks

5G networks will take connectivity to the next level by increasing workforce mobility, enabling more robust automation, improving existing applications and unlocking others.

However, 5G technology will introduce advances throughout the network architecture, allowing new capabilities, but also expanding the threat surface opening the door to cyber criminals attempting to infiltrate the network. It also challenges cybersecurity teams with the issue of having to quickly learn how to identify and mitigate threats faster and without impacting the latency or user experience.

More Regulatory Complexity

As businesses are becoming increasingly digitized and more innovations come to market, regulators are going to have to respond and try to understand the impact of these technology innovations on both customer and business sides, and this will likely be expressed as laws.

Preparing for these types of trends is therefore crucial to gaining an advantage over hackers.

Finally

While 2020 has proved that we cannot predict the future, there are, however, strategic areas where organizations need to start looking at and preparing defenses. Use these trends as starting point to create a cybersecurity plan to best protect your organization. If you are not sure where to start, contact us today for professional IT security services.

StratusPointIT Recognized on CRN’s 2021 Pioneer 250 List

/in /by
Read more

Cloud Overspend: Main Causes & Mitigation Solutions

/in /by

According to Gartner, spending on cloud system infrastructure services is expected to grow from $44 billion in 2019 to $63 billion in 2020, reaching $81 billion by 2022.

The cloud offers a level of flexibility that companies cannot get by using in-house servers. Scaling up and down is almost always easy. Also, as we saw this year with the massive shift to working from home, if things suddenly change in the workplace, you can easily adapt by allowing people to work from wherever they need to.

Cloud computing can also be deployed faster, it can happen in minutes instead of the long time you usually need to add physical servers.

Nonetheless, the biggest difference is the cost. Not having physical servers that need maintenance will allow you to save money. Also, you do not need someone on-site to manage and maintain them. With the cloud, all of that is taken care of by the service provider.

What leads to cloud overspend?

Let’s see how that happens and what you can do to prevent it.

The Multi-Cloud Approach

Mid-size companies are using an average of seven different cloud providers for the applications and services they use. The multi-cloud approach is not bad on its own, but there are some associated costs that add up. Everything from security mitigation to reporting must be done repeatedly over your various cloud providers which is time consuming and finding someone to manage your cloud stack will generate additional costs.

Cloud Provisioning

Some executives, rather than waiting until their businesses need more capacity, they order more than needed. This usually happens because when you are running physical servers, adding more server capacity takes time. You cannot just double or triple the number of servers you are working with one week, then scale back the next week. You must order everything few weeks in advance. When you come to the cloud with the same mindset, you end up with lots of unused resources that most likely never get used but cost you money.

The real issue here is not that you end up with stuff you do not actually need, but you also lose sight of all the hidden costs associated with these services. API calls, vendor lock-in, and even premium support packages can all add to your costs if you do not pay close attention to what you buy.

Cloud’s Not Cheap

Cloud can be cheap. The problem is that it is easy to lose track of how much you are spending and where. There are many aspects that take the cloud from a reasonable expense to a considerable expense, but you can get those costs under control with the right approach.

Mitigation Solutions

Reducing cloud overspend is not quite as easy as wasting all that money was in the first place, so the effort you put into eliminating it is significant.

Pay Per Use

Firstly, conduct an audit to determine your usage habits. By analyzing your usage, you will probably discover some areas where you are spending more than needed. Things to look for include whether you are using all the features in the plan you have purchased. It is one thing to have the pro-level software suite that a company offers, but if you are not actually using a large percentage of the tools they offer, you should just drop down to the next level. The same thing goes with storage. If you have a lot of unused cloud storage space, get rid of it. In case you suddenly need more, you will not be in trouble, adding cloud resources is easy.

Audit Regularly

When you are auditing your cloud usage, verify details like the software you are using, how many people are using each tool, and how many cloud resources you are consuming. This will establish if you have got unused software licenses, if you are paying for instances that are not being used, etc. All these are areas where you are likely to find overspend. The golden rule here is to keep auditing to make sure you are not overspending again. You cannot just do it once and consider the problem solved. Auditing is going to save you a lot of money, especially in the long-term.

Cloud Optimization

Optimization will always reduce spend. A lot of what you are going to find in terms of optimization will be aspects we have already discussed in this blog, but there are other, more technical aspects you can look at to lower your cloud spending, things like: workload modeling, workload automation, and rightsizing services.

The main goal is to get the cloud working as smoothly as possible and get rid of anything that is not configured, to maximize your organization’s benefit.

Partner with Experts

Businesspeople do not have the time nor the expertise to really manage cloud spend within their organization. Therefore, partnering with a team of cloud experts can help. Not only we can provide you with a reliable team of experts to help you manage your cloud, but we can do it cost-effectively. If you are ready to reduce cloud overspend and fully optimize your business, let’s talk. We love helping our customers use the benefits of top-notch technology without breaking the bank.

Business Email Compromise Attacks

/in , , /by

The Business Email Compromise (BEC) attack is an increasingly popular type of cyberattack because the success rate is quite high. A BEC attack impersonates a familiar person, such as a business partner or an employee, tricking the victim into buying gift cards or transferring expensive items to the hackers orchestrating the attack.

Gift cards have become a common way for cybercriminals to steal money as they do not require bank accounts, identification documents, etc. These cards can easily be sold online for at least 60% of their initial value. Gift card scams are particularly popular around the holiday seasons.

The Context

Like the traditional phishing campaigns, BEC attacks often take advantage of topics in the news. These days, one of the main topics is the novel coronavirus. According to Check Point researchers – their team collects and analyzes global cyberattack data, SARS-CoV-2 related cyberattacks jumped by more than 30% in May 2020 alone, many of which involved email scams.

The outcome?

Several government agencies and medical facilities looking to purchase equipment unknowingly transferred money to hackers, eventually have discovered that the requested equipment does not exist and that their money was gone.

Also, in 2019, a group of attackers infiltrated and monitored the Office 365 accounts of three financial organizations. After creating fake domains for these firms and for their partners, accounts, and banks, the criminals diverted certain emails to these fake domains. Using this type of “man-in-the-middle” approach, the group behind the attack managed to request and receive money transfers worth more than $1.2 million.

BEC campaigns typically use three different methods for impersonating legitimate email accounts:

Usually, the attackers spoof real email addresses, which can be done quite easily as the SMTP protocol offers no efficient way to validate the sender. Hackers either use dedicated or public SMTP servers to deploy emails with a spoofed address.

Secondly, the attackers register and send email from a domain name like that of the actual domain they intend to spoof. For example, the registered domain may be example.co in contrast to the legitimate domain name of example.com.

Thirdly, the attackers use phishing techniques to gain control of the email accounts of the people they want to impersonate. They can then send emails from the actual account for legitimacy which facilitates their success in requesting and receiving money.

Stopping BEC attacks

Firstly, train your staff regularly about modern fraud techniques like BEC. The best training is brief, frequent, and focused. Organizations need to constantly retrain and keep security awareness messages front and center through multiple channels, including newsletters, web pages, online lessons, webinars, or presentations.

Every time irreversible actions such as money transfers are initiated, details of the transaction must be verified through additional methods such as voice communication and must not exclusively rely on email correspondence.

Review the existing protocols, and separation of duties for financial operations. Add extra controls, if needed. Remember that separation of duties and other protections may be compromised by insider threats, therefore risk reviews may need to be rechecked as well.

Create new policies related to “out of band” transactions or urgent executive requests. An email from a fellow worker’s Gmail or Yahoo account should automatically raise a red flag to staff members, but they need to understand the latest techniques being deployed by hackers. You need authorized emergency procedures that are well understood by all team members.

Review and test your incident management and spam reporting systems. Also, test your staff with simulations of incident scenarios.

Protect your email traffic with a layer of advanced email security. Make sure the email security solution you use blocks sophisticated phishing attacks like BEC. Viable email protection solutions would prevent those attacks from reaching employee mailboxes.

Protect mobile and endpoint browsing with advanced cybersecurity solutions, which among others, prevent browsing phishing websites.

Check the full email address on any message and be alert to links that may contain misspellings of the real domain name.

Regularly monitor financial accounts for suspicious transactions.

Use two-factor authentication every time you attempt to login to key applications.

Do not provide login credentials or personal information in response to an email.

In case you or your team members have encountered any suspicious activity, please let us know here. We are ready to offer your organization the professional support that it needs.

Business Data Security And Remote Working

/in /by

Location flexibility is one of the benefits of telecommuting, but as remote working becomes standard practice, information security becomes more of a concern.

From employees using unsecured Wi-Fi networks to workers bringing their own unsecured devices, remote work has added additional levels of security related concerns for organizations and their data.

71% of business decision makers believe that the shift to remote working during the Covid-19 pandemic has raised the likelihood of a cyber-attack.

– According to new data released by independent polling company Censuswide.

Organization leaders and their employees need to accept mutual accountability in doing what they can to protect sensitive data.

To start, business leaders should allocate funds to educate employees in regard to data security and how everyone is responsible for protecting it. They also need to initiate certain practices and procedures that will strengthen data security within their organizations.

Remote workers must also prioritize data security education and best practices, then commit to those measures.

So, what can companies and their remote workers do to protect their data? Here are few aspects to consider.

Have a BYOD Policy in place

To avoid any unnecessary disputes and the costs associated with them, it is recommended to have a carefully drafted BYOD policy in place with employees. Not having a structured policy may create disputes over what data is what and it may also compromise intellectual property protection.

Endpoint Security

Installing an endpoint agent with the ability to perform data and malware protection will provide greater assurance into securing the endpoint especially if corporate data resides on the employee’s device.

Keep Passwords Strong | Use a Password Manager

Password protection is another fairly easy way to protect your organization’s data. Some people tend to underestimate the importance of password access, using the same password from device to device- account to account. Educating remote workers about password protection is crucial to securing sensitive data. Start with the basics of how to keep passwords strong and why it is so important to not use the same one over and over.

Another way for organizations and employees to alleviate this risk is by using a password manager that will allow users to randomly generate passwords and store them safely. This way, employees can focus on their daily tasks without needing to remember all their passwords for different accounts. Also, data will remain secure and uncompromised.

Plan for authentication and authorization

Act as if a breach is inevitable to further improve the security of your company. Multi-factor authentication (MFA), monitoring access controls, and creating strong passwords are important hacks that every smart company should know by now.

Many organizations are moving to two-factor authentication (2FA) for their data security management. This method confirms a user’s identity by first requiring a username and password, as well as another piece of information, whether it be an answer to a “secret question” or maybe a PIN sent to the user’s cell phone.

Having the right authorization levels is crucial. Especially for remote workers, having access only to the necessary applications and features is the best way to go. Companies must develop the habit of granting ‘least privilege’ access rights. This means giving only the minimum permissions required by an end user.

Watch out for phishing threats

Phishing threats that target remote workers are on the rise. Usual phishing strategies include getting employees to engage with suspicious content through what seems to be essential notifications. Phishing threats often include obvious errors such as bad grammar and spelling. Well-trained and aware remote workers will be able to spot these signals.

Consider running simulated phishing campaigns to test your employee’s awareness to potentially harmful emails, from who opened or clicked shady links to who entered credentials or submitted suspicious forms.

Therefore, it is important to develop a remote working culture that takes IT security best practices as a top priority. When it comes to cyber security, organizations should plan for every possibility and leave nothing to chance. Remote workers must be trained to avoid and report any suspicious activity.

GSuite becomes Google Workspace

/in , /by

Last month, Google has announced Workspace, the brand-new name for all their productivity apps such as Gmail, Drive, Docs, Keep, Sheets, Calendar, Slides, Meet, etc.

According to the company, Workspace isn’t just a new brand (a replacement for GSuite), it also offers a deeper integration between apps, helping users collaborate more efficiently, improving their experience while aligning their products to today’s business necessities.

Improved User Experience

One of Google’s strengths has always been smart integration between its various products and services, but now the organization is taking dozens of little steps towards making these integrations deeper, simpler, and making the collaboration process more natural, especially when working in teams from remote locations.

Today you have the possibility to preview a linked file without having to open a new tab, which means less time spent switching between apps and more time getting the work done.

Also, when you mention someone (by using @ in your document), a smart chip will show the person’s contact details, including for those outside your organization, providing context and even suggesting actions like adding that person to Contacts or reaching out via email, chat or video.

In the coming weeks, Google promises that users will be able to create and collaborate in a more dynamic way on a document with guests in a Chat room. This will make content sharing easier and will allow users to directly work together with those outside their organization.

Google prepares even more ambitious features, such as creating a document directly from Chat or starting a video call from within a presentation. Those features are expected to be launched in the coming months.

Pricing Changes

There are some changes to the pricing, too. Starting this month, the cheapest plan named Business Starter costs $6 per month/per user and it allows users to create business emails using their organization’s domain name, video meetings for 100 participants, and 30 GB of cloud storage per user.

The next pricing plan is Business Standard, which costs $12 per month/per user, and you will get video meetings for 150 participants plus recording capabilities, as well as 2 TB of cloud storage/user.

Business Plus will cost $18 per month/per user and you will get video meetings for 250 participants plus the benefits of recording and tracking attendance, 5TB of cloud storage/user, enhanced security, and management controls, including Vault and advanced endpoint management.

Eventually, if your organization needs more resources, you may contact Google for a customized Enterprise plan.

Final Thoughts

Google has made obvious improvements in user experience, app integration, product flexibility within the last ten years and promises to continue this process. It has also launched, rebranded, and merged so many products over the past couple of years it’s hard to keep track, so most likely, in the following years, we will see a stronger Google Workspace, a tougher competitor to Office/Microsoft 365.

IT Advisory Services: Getting More Than Just Good Advice

/in /by

All the buzz words are out there; virtual CIO (vCIO), IT Advisory Services, Technology Advisor, etc.  Yes, all the reasons why you should engage in such a service is important, but it should be more than just good advice.

Let’s explain the key aspects of an IT Advisory practice, and what it can do for you.  Then we should talk about the key differentiator between “talking about IT strategy” vs. “doing IT strategy”.

Key aspects of an IT Advisory practice:

Assists in aligning IT to your business objectives

  • Involves in strategy meetings with leadership/management
  • Comprehends short-term vs. long-term initiatives

Identifies and documents your infrastructure

  • Aligns technology with your business objectives
  • Hardware and service standardization, from workstations, networks, servers, backup solutions, and cloud services

Recommends process improvements, investments and savings based on your infrastructure and business objectives

  • Assists in developing your IT budget based on useful life of your current environment
  • IT governance policy and process, along with new technology recommendations

Recognizes vulnerabilities to achieve your business objectives

  • From compliance shortfalls to security vulnerabilities
  • Starting with identifying, then communicating, and finally prioritizing solutions

“Talking about IT strategy” vs. “Doing IT strategy”:

When a managed IT service provider tells you, they provide vCIO or IT Advisory services, ask them what their methodology is and do they have a platform to orchestrate the process. As was mentioned in a previous blog “MSP-Are You Getting More Than A HelpDesk”, also ask if the service is being delivered by a dedicated resource or an engineer who also resolves tickets, etc.

Too often IT providers market that they provide Virtual CIO (vCIO) services, but those services are being provided by an engineer who is also responsible for resolving tickets or installing hardware. When you ask about advisory services, ask if this service is delivered by dedicated individuals, or is it part of the responsibility of the engineering team.

Any IT provider selling IT Advisory services should have three key aspects to ensure it’s the right service for you.

  1. A dedicated team solely focused on the customer success and tasked with supporting and driving positive change in your business.
  2. A methodology geared around a strategic, business driven, technology consulting process to engage with customers. A methodology that is a value-add service to assist customers through an ever-changing technology landscape, from cloud migrations, to implementing proper security protocols.
  3. A platform to orchestrate the methodology, where the customer and advisor can share, document, communicate, and track decisions and agenda items in one portal.

It’s easy for someone to talk to you about IT strategy, and they will call it vCIO services, but you deserve more than just a conversation.  Engage with an IT provider that has a dedicated team that provides a proven methodology through a transparent process on driving success with their customers.

Contact StratusPointIT and ask about our STAR methodology, and see how we are “doing IT strategy”.

Office 365 Multi-Factor Authentication

/in /by

Multi-factor authentication (MFA) is commonly used to prevent a stranger from logging in, with or without a password. MFA improves the security of user logins.

With Office 365 MFA, users are required to allow a phone call, a text message, or enter an app-generated number on their smartphone after correctly entering their username and password. Only after this additional authentication factor has been verified the user can sign in.

Security Is Key

Using passwords alone is risky. If a single password is cracked, cyber criminals could have their way in your system, and you would probably not be alerted to their access. Enabling MFA for an Office 365 user ensures that if access occurs from an unusual location, from another device, or another Office client, etc. the user will be blocked until he/she provides additional verification.

Many users still have weak passwords, and it becomes difficult for management to mandate strong password management. By implementing Office365 MFA, it provides a layer of security to protect sensitive information.

NOTE: Based on studies conducted by Microsoft, an account is more than 99.9% less likely to be compromised if MFA is enabled.

Compliance Requirements

To date, the use of MFA to protect systems is not mandatory for every industry.

However, The Payment Card Industry Data Security Standard (PCI DSS) requires companies to use multi-factor authentication (MFA) to protect against breaches that could compromise payment card data.

Two-Factor Authentication (2FA) is a needed measure to comply with password restrictions in sectors such as finance, healthcare, defense, law enforcement, and government, among others. Let’s take a few examples:

The Healthcare Industry

The Health Insurance Portability and Accountability Act (HIPAA) does require organizations to confirm that users looking for access to electronic protected health information (ePHI) have the necessary authorization. Two-factor authentication addresses this HIPAA requirement, and multi-factor authentication takes it to the next level.

The Finance Industry

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act includes The Safeguards Rule which is a directive designed to secure customer data with specific provisions to ensure that data is not accessed under false claims. Risk assessment and risk mitigation are integral to compliance with the Safeguards Rule.

An identity and access management (IAM) solution can proactively address provisions in The Safeguards Rule and improve GLBA compliance through role-based management, entitlement management (limits permissions and only access what is needed), and multi-factor authentication.

The Unites States Government

For several years, 2FA has been a requirement for accessing government websites. This action plan has also instructed the National Cyber Security Alliance (NCSA), a non-profit, public-private partnership, to partner with leading technology companies such as Google and Microsoft to promote the use of 2FA.

These public-private partnerships instituted by the US Government prove that MFA is a handy solution for mitigating security risks inherent to systems that use single password authentication protocols.

Microsoft Authenticator

Authenticator is Microsoft’s two-factor authentication app. Launched around four years ago the app simplifies the multi-factor authentication process. Basically, you log into an account and after entering the username and password you are asked to provide a code to ensure MFA.

The Authenticator generates a six-digit code every 30 seconds that you must enter to finalize the login process into your app or service.

It is extremely useful for quick sign-ins, it works cross-platform, and it is faster than email or SMS codes.

O365 Re-Authentication

When MFA is enabled, there are certain situations when O365 users must re-authenticate:

  • In case of password change;
  • In case the user signs in and out in Office clients;
  • In case users swap between Office 365 accounts;
  • In case administrators apply conditional policies to restrict the resource the user is trying to access.

MFA Can Combat Phishing Attacks

How? Basically, by making it harder for hackers to get into your system. With multi-factor authentication enabled, cyber criminals need to have initial access to even more information in order to perform a successful login (sometimes access to the victim’s phone, so not just the username and password).

Finally

MFA is a needed enhancement as more people use the entire Office 365 suite and save sensitive data in OneDrive and/or SharePoint. Protecting your data is crucial, and it seems that MFA’s importance and applicability will only grow over time.