Most Microsoft 365 Admins Have Not Setup Multi-Factor Authentication

by | Nov 3, 2020 | Compliance News

CoreView published a new report revealing that a lot of Microsoft 365 admins haven’t activated multi-factor authentication to keep their accounts secure from suspicious remote access and are unable to implement other fundamental security procedures. Based on the report, 78% of Microsoft 365 administrators have yet to activate multi-factor authentication while 97% of Microsoft 365 users aren’t using MFA.

This is a big security risk notably when almost all workers are remote. The IT departments should see this concern and correct it to be able to appropriately stop cyberattacks and fortify their organization’s security posture.

The SANS Institute mentions that 99% of data breaches are preventable by employing MFA, whilst Microsoft discussed in an August 2020 blog posting that MFA is the one particularly important measure to carry out to stop unauthorized account access, conveying that 99.9% of account breaches could be avoided by utilizing MFA.

The CoreView study furthermore showed that 1% of Microsoft 365 administrators tend not to use strong passwords, despite the fact that hackers are proficient at breaking passwords with automatic brute force attacks. Even if using strong passwords, there is no promise that a breach will be averted. A strong password provides no security in case a user fall victim to a phishing scam. In the event of stolen passwords, MFA gives security and should keep those passwords from being employed to obtain access to accounts.

The CoreView M365 Application Security, Data Governance, and Shadow IT Report pointed out that Microsoft 365 administrators are provided extreme control and they own access to valuable sensitive information. 57% of Microsoft 365 admins were identified to have substantial permissions to access, alter, and expose business-critical data. In addition, 36% of Microsoft 365 administrators are worldwide administrators. They acquire total command over their organization’s existing Microsoft 365 environment. 17% of Microsoft 365 admins are likewise Exchange admins and possess access to the entire company’s email accounts, as well as C-Suite accounts. In case Microsoft 365 admin accounts are compromised, cyber hackers can access the whole Microsoft 365 environment along with the big volumes of sensitive information. The Microsoft 365 environment doesn’t just consist of a large amount of quickly monetized data, the accounts are at the same time connected to other systems and can be utilized for a much larger attack on the company.

The study additionally showed that firms have spent greatly in productivity and operations programs that authorize personnel to communicate, work together, and work more proficiently, yet there has been a surge in shadow IT, specifically SaaS applications. SaaS programs are frequently employed by personnel without the IT department’s awareness. Many of those SaaS apps lack suitable security and let preventable cyberattacks to occur.

At a basic level, malicious applications can siphon off critical information. Users may furthermore likely be sharing sensitive firm data via these applications to compromised parties so that organizations are in considerable danger of a data breach. It’s crucial that companies adequately keep an eye on these programs for possible security gaps.

Businesses that use Microsoft 365 usually take their security and governance responsibilities too lightly, erroneously believing that Microsoft 365 is safe by default and has the needed protections to stop data breaches. Though Microsoft 365 can be protected, businesses need to be proactive and make sure that security is tackled, there is enough supervision of shadow IT, and appropriate data governance.

3 Steps To HIPAA Compliance

Step 1 : Download Checklist.

Step 2 : Review Your Business

Step 3 : Get Compliant!

Our HIPAA compliance checklist will outline everything your organization needs to become fully HIPAA compliant. Fill in the form below to download it now.

View our privacy policy