Thoughts, Experiences, and Stories From the Field by the Experts at PYA
Over the last year, we’ve all learned a new term, “social distancing.” The reason for social distancing is to avoid getting sick, or if you have been exposed, not to infect others. In my role as Chief Information Officer, I’ve been thinking a lot lately about the phrase “not to infect others” in light of recent ransomware attacks.
For example, the rise in working remotely means more companies are using Office 365 (O365) and Microsoft Teams. The rapid growth of these platforms begs the question: Has security been addressed appropriately, or even at all? Was it overlooked in the frenzy to find a platform that would allow everyone to collaborate?
At a conference in late February 2020, Security Expert Alex Weinert stated that only 11% of O365 accounts are protected by two-factor authentication (2fa). That is 11% of over 200 million accounts (Jan 2020 numbers). He also stated that of the 1.2 million O365 accounts that were breached in January 2020, over 99.9% of those accounts were NOT using 2fa.
Over the last three years, PYA has seen more than 75 attempted phishing attacks originating from the sender’s own O365 account. These companies are clients, vendors, or firms that our employees are associated with, in some personal or professional manner. Most are not small companies. Many of these companies I have spoken with several times due to multiple phishing events.
These are not the “go purchase gift cards for me” types of attacks we teach people to avoid. These are well-crafted emails from a known associate, with a link that looks like it is from O365. Emails like these are the ones that keep me up at night. But, they could also be easily eliminated with 2fa.
Returning to the phrase ”not to infect others”—why as security and IT professionals are we not protecting our people, the people they are associated with, and the data for which we are all responsible?
Will 2fa take some time and effort? Sure, but it’s not overly difficult. Will it involve some costs? Perhaps, but not nearly as much as a breach or reputational loss. Will it cause some inconvenience for users? Yes, some. However, most people are accustomed to it in their personal lives for online banking or other needs. The simple truth is: if you are not using 2fa, you are among the 89% most vulnerable to attack, and thus most likely to infect someone else.
What happens if the person whose credentials get captured is on your IT Team or your CFO? Your IT teammates are human. They get tired and in a hurry, just like everyone else. What if the criminal does not send phishing emails, but decides to stick around in your network to see what he or she can learn, steal, or worse? Yes, it has happened.
If you are an IT professional and 2fa is not set up in your organization, now is the time to implement it. If you are an executive and your firm is not using it, it’s time to ask why not. The stakes are too high.
PYA can assist your organization with its cybersecurity and IT needs. With experienced CIO, CTO, and CISO professionals, our IT Risk Management team goes beyond checklists to analyze critical system and technology controls. Our comprehensive risk management program, Overwatch, addresses all elements of IT infrastructure, process assessments, data governance, and risk management. To learn more, contact a member of PYA’s IT Risk Management team at (800) 270-9629.