Monday, 18 March 2019

Office 365 Popularity Grows…as does its potential vulnerability

The introduction of Office 365 vastly improved the user experience and arguably the affordability of these critical software apps.

Since its introduction, Microsoft’s Office suite products have clearly been the tools of choice for most of the world’s businesses - most of us using at least one of the applications on a daily basis.

The introduction of the online subscription version – called Office 365 – vastly improved the user experience and arguably the affordability of these critical software apps. Office 365 allows businesses to work more efficiently in terms of an increasingly mobile workforce and the demand for effective team collaboration.

It’s a rightly popular, brilliant, piece of software that we highly recommend but the rise of adoption appears to be in line with that of security compromise according to a recent report published by the National Cyber Security Centre (NCSC).

There are many ways in which a user’s Office 365 account could be compromised. The most common by far is receipt of an email that looks perfectly legitimate asking the user to log into their account for a variety of seemingly plausible reasons. They are then directed to a site that looks just like the genuine Office 365 portal and happily enter their email address and, crucially, their password.

And that’s it, job done for the bad guys without the user even being alerted to the consequences…yet.

What happens next varies. The NCSC report states they have confirmation of the following;

Impersonation -
• “Impersonation of the compromised Office 365 account owner to manipulate the movement of money or to gain access to information within an organisation;”

Theft - 
• “Steal sensitive commercial information from the compromised account either to leak publicly causing reputational damage to a company, or to sell;”

Phishing -
• “Use of the compromised Office 365 account to distribute spear phishing emails, prompting recipients to give up user credentials and allowing the actor access to further Office 365 credentials within the victim organisation and its supply chain;”

Springboard -
• “Use of the compromised Office 365 account credentials to try and access the accounts of the individual on social media or other places where they might find sensitive information that the actor can use or sell;”

Spying -
• “Set up forwarding rules so that the compromised Office 365 account covertly sends copies of incoming emails to the actor’s email account.”

Those are just a few examples and it almost goes without saying what the financial and reputational costs to an organisation could be. In a word – HUGE!

The NCSC’s recommended solution to prevent the likelihood of this complex issue is pretty simple, though.

And, in some cases, free!

They strongly suggest that all users of Office 365 should employ Multi-Factor Authentication (MFA) or Two Factor Authentication (2FA) technologies as part of their security measures.

What are they and why?

“One of the most important steps an organisation can take to reduce the risk of Office 365 account compromise via brute force attacks or spear phishing is the implementation of Multi-Factor Authentication (MFA) across the Office 365 platform.

As users tend to re-use passwords across online and enterprise services, MFA reduces the potential of password compromise through adding another layer of security.

MFA works by requiring two or more of the following authentication methods:

• Something you know (typically a password);
• Something you have (a trusted device such as a mobile phone);
• Something you are (biometrics);”

Simply put, the addition of another layer of access reduces the risk greatly. Everyone already has a password, but it’s well known that these can easily be guessed/subject to a brute force attack.

Adding a second layer (2FA) would mean that the user must confirm a code sent to a trusted mobile device via text or an automated call. Most of us already use systems like this when accessing our personal bank accounts, for example. And we fully understand why.

MFA adds another layer still – this could be a fingerprint scan. Again, already available to an increasing number of mobile devices and it takes just seconds to employ.

The full report can be downloaded and read HERE.

The Security Team at Grant McGregor also recommend the adoption of at least one additional layer of security to your Office 365 accounts and have a variety of options regarding the deployment of the 2FA feature. Some involve a monthly subscription fee, some are free after a modest set-up cost.

Either way, finding out more about security and your options costs nothing…

For more information, help or advice, please contact the Grant McGregor team on 0808 164 4142 or we can contact you if you leave us your details.