Majority of Microsoft 365 Admins Have Not Enabled Multi-Factor Authentication

A new report published by CoreView has revealed the majority of Microsoft 365 admins have not enabled multi-factor authentication to protect their accounts from unauthorized remote access and are failing to implement other basic security practices. According to the study, 78% of Microsoft 365 administrators have not activated multi-factor authentication and 97% of Microsoft 365 users are not using MFA.

“This is a huge security risk – particularly during a time where the majority of employees are remote – that IT departments must acknowledge and address in order to effectively deter cyberattacks and strengthen their organization’s security posture,” explained the researchers.

The SANS Institute says 99% of data breaches can be prevented by using MFA, while Microsoft explained in an August 2020 blog post that MFA is the single most important measure to implement to prevent unauthorized account access, explaining that 99.9% of account breaches can be prevented by using MFA.

The CoreView study also revealed 1% of Microsoft 365 admins do not use strong passwords, even though hackers are adept at cracking passwords with automated brute force attacks. Even when strong passwords are used, there is no guarantee that a breach will be prevented. A strong password offers no protection if a user falls for a phishing scam. If passwords are stolen, MFA offers protection and should prevent those passwords from being used to gain access to accounts.

The CoreView M365 Application Security, Data Governance and Shadow IT Report revealed Microsoft 365 administrators are given excessive control and have access to a treasure trove of sensitive information. 57% of Microsoft 365 admins were fund to have excessive permissions to access, modify, and share business-critical data. Further 36% of Microsoft 365 administrators are global admins, giving them full control over their organization’s entire Microsoft 365 environment and 17% of Microsoft 365 admins are also Exchange admins and have access to the email accounts of the entire organization, including C-Suite accounts. Should Microsoft 365 admin accounts be compromised, hackers would have access to the entire Microsoft 365 environment and huge volumes of sensitive data. Not only does the Microsoft 365 environment contain a huge amount of easily monetized data, accounts are also linked to other systems and could be used for a much broader attack on the organization.

The study also revealed companies have invested heavily in productivity and operations applications that empower employees to communicate, collaborate, and work more efficiently, but there has been a rise in shadow IT, especially SaaS applications. SaaS applications are often used by employees without the knowledge of the IT department. Many of those SaaS applications lack appropriate security and open the door to preventable cyberattacks.

“At a basic level, malicious apps can siphon off critical data. Users could also potentially be sharing sensitive company information through these apps to compromised parties, putting organizations at a substantial risk of a data breach,” explained CoreView in the report. “It’s vital that organizations properly monitor these apps for potential security gaps.”

Organizations that move to Microsoft 365 often underestimate their security and governance responsibilities, mistakenly believing that Microsoft 365 is secure by default and includes the necessary protections to prevent data breaches. While Microsoft 365 can be secure, organizations must be proactive and ensure that security is addressed, there is sufficient oversight of shadow IT, and proper data governance.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.