I just received an alert from my organization’s identity monitoring service stating one of my employee’s Office 365 email credentials were found on the Dark Web. We have all grown since the time when the prince of Nigeria emails you requesting a transfer of $1000 dollars and provide your credentials, and you help him out! But once you have provided all your personal information and your transfer is complete, it is probably prudent to change your password. So, in this case we will help the employee change their password.
Why, you ask, are we not overly concerned about other security measure at this point? Well, because we happen to know they have 1 simple slider option (Security Defaults) turned on in their Office 365 tenant. This option helps prevent the account from getting compromised by enforcing 2 REALLY impactful settings; it enforces multi-factor authentication and it blocks really old and insecure applications from accessing your Office 365 tenant.
For those of you who do not know what multi-factor authentication is, it simply generates a code from your mobile phone on top of your password to provide an additional layer of security. That way if your password is stolen, the “bad guy” would also need your phone. So now you know! 1 slider option that removes most of the stress of having a password compromised. The slider is not fool proof, but it allows you some time to go in and reset your password if it gets stolen. Microsoft’s telemetry tells us that 99.9% of organization account compromises can be stopped by simply using multi-factor authentication and that blocking old insecure applications correlates to a 67% reduction in compromise risk.
So what are you waiting for?!
Well, while the slider is enabled by 1 click, it will most definitely impact end users. You will need two groups of people involved: your IT team and your end users. Here is what will need to be done before turning it on.
The IT team should verify you are not using any legacy versions of the Office suite below Office 2016 or that you have any outdated line of business applications or scanners utilizing email sending. You will want to coordinate turning on multi-factor authentication with your end users by making sure everyone has a smart phone and everyone is prepped with setup instructions once it is enabled. With a basic plan, this can be fairly painlessly enabled and will immediately improve your organization’s security posture as it relates to your Office 365 tenant.
*Bonus Tip: If your email password is compromised, this will not protect you from a “bad guy” accessing other services where you have utilized the same password. It is best practice to utilize a password manager tool so that each website you use can utilize a completely different and complex password.