In February of 2020, during a presentation at the annual RSA security conference, Microsoft noted that more than 1.2 million user accounts were hacked that January. While that is a significant number, it’s worth noting it’s a small fraction of the more than one billion active Microsoft users and 30 billion login events each day. Of those events, approximately 0.5% are unauthorized.
Microsoft notes that 99.9% of compromised accounts do not have one simple setting enabled: multi-factor authentication. More than one million accounts compromised every month, and MFA was not enabled on most of them, which is cause for alarm.
More alarming yet is the security news that broke at the end of 2020. According to Microsoft, foreign hackers were covertly monitoring the email exchanges between the National Telecommunications and Information Administration and the U.S. Treasury Department. The hackers used the SolarWinds Orion monitoring platform and malicious code pushed during software updates to break into the network. While the report didn’t go into the specifics of how the information they captured was used, the news was enough to spur the tech giant to encourage users to protect apps and accounts with more stringent security measures.
There are several ways individuals can do more to protect their personal information (and lessen the likelihood of becoming a target):
Enable Multi-Factor Authentication
According to the U.S. Cybersecurity and Infrastructure Security Agency, multi-factor authentication (MFA) is the number one way users can secure their accounts against hacks, especially for those looking to bolster Outlook or Microsoft 365 security. With MFA—otherwise known as “two-step verification”—you’re essentially adding a second layer of protection to your account. For example, instead of signing in with just a single password, you would sign in with a password and a verification code, which you would receive via another account on a second device.
Microsoft believes that the vast majority of the January 2020 hacks could have been prevented if users had simply taken the time to set up two-step authentication. Despite this assertion, only 11% of enterprises use this technique, making their networks prime targets for hackers.
Use Different Passwords for Each Account
Creating and remembering passwords for each account may be a bit tedious, but it is crucial to protect personal accounts and information. The burden can be eased using a password manager (such as LastPass or 1Password), which will generate, remember, and autofill complex passwords in your browser. The other is to switch from passwords to a memorable passphrase. As ZAG’s CTO Jim Hunton noted in a recent LinkedIn post, “A passphrase is both longer and easier to remember: Little-L3ague-Tryouts-SAturday@11 or S0apy-Sudsy_Carwash-$1995. Passphrases are easier to remember and more secure than passwords.”
Password replay is a hacking technique that uses a person’s affinity for specific passwords against him or her. Fraudsters look for repeat passwords on single or multiple systems and plug them in with associated usernames. Password replay is particularly effective when people reuse the same combinations of numbers and phrases on multiple networks, such as their work and home devices. Analysts estimate that MFA, combined with password creativity, could prevent as many as 80% of unauthorized access events.
Only Access Systems Through Legitimate Apps
C|Net warns against accessing your accounts through insecure sources, such as websites on unsecured networks and outdated apps. Ideally, when you access your Microsoft 365 account, do so only through the Microsoft app. When you download Outlook, do so through your app store or directly from the Microsoft website. Do not trust downloads from third parties. Finally, routinely update your operating systems and your apps to ensure they’re equipped with the most robust security features and patches that have been incorporated for any potential vulnerabilities.
Always Use Unique Passwords
Are you guilty of using “Password123” as one of your passwords? We sure hope not. Attackers have lists of the most popular number and letter combinations on hand, which they often turn to first. They also keep track of the username and password combinations on any given system and then mix them until they gain entry. Both these techniques fall into the broader category known as “password spray,” which happens to be highly successful (and was noted by Microsoft in their February presentation at the annual RSA conference mentioned above).
It’s also critically important to avoid using manufacturer-set username/password combinations, which can be easily accessed via web-based platforms. For example, some video surveillance cameras set up and monitored via a network may come with these credentials, meaning if your organization leaves them unchanged, the entire network can be vulnerable.
Beware of Phishing
Finally, beware of phishing scams. Phishing scams are nothing new, but they are very successful because they appear so legitimate, especially in the case of spear phishing. Phishing occurs when fraudsters impersonate a company or person in an attempt to gain personal information about someone, such as a credit card number or password. For instance, you may receive an email from what appears to be Microsoft informing you that there’s been an access attempt from an unknown device. Do not click the provided link, as chances are it leads you to a malicious site.
The best way you can avoid phishing scams is to know how to identify them. Most fraudulent emails contain urgent calls to action and frequent misspellings. For example, the sender might be “micr0softsupport.com” or “microsoft8.ru,” and the body will likely be poorly written, as the goal is to attract only the most gullible target. The body may also contain a suspicious attachment, ask you to confirm identifying information or be sent during an “off” time of day (early in the morning). Regardless, if anything seems “off,” delete the email and report it. Microsoft Outlook makes this easy by allowing you to report suspicious emails by clicking on “Phish Alert,” which will notify your IT department or third-party managed services provider (MSP).
Invest in IT Security Consulting
Unfortunately, there will always be a security risk where there is technology – and the threats are continually evolving at an ever-expanding rate. That’s why the best way you can protect yourself, your employees, and your bottom line is to invest in IT security consulting and end-user training. Today’s IT departments face threats that are so complex, it can be challenging to ensure every protection is in place without an experienced IT vendor or managed services provider like ZAG to help.
Defend your data against cybercriminals — learn more today.