MFA: why you need additional Cyber Security defence  

Published: 14 March 2024

When it comes to MFA (Multi Factor Authentication), we hear it all the time…  

“We don’t need any other Cyber Security products, that’s what MFA does for us” 

Unfortunately, this is just one step on the Cyber Security journey. Don’t get us wrong having MFA is a superb start, enhancing the security of your business, with an additional layer of protection to a users’ credentials. Sadly though, this does not make you immune to all cyber threats. These threats need to be tackled with a multi-layered approach; no single measure can provide absolute security to your business.

Here are some areas MFA cannot always protect you from:

  • Phishing Attacks

Whilst MFA can limit the threat of unauthorised access due to a stolen password, it cannot prevent users from falling victim to a targeted phishing attack. All it takes is for an attacker to manipulate a user into revealing both their password and the second factor and they are in. 

  • Device Security 

If a company-owned device is compromised, it may undermine the effectiveness of MFA. An attacker only needs to gain control of a device with an active authentication session, and they have everything they need to get into your account. 

  • App Specific Risks 

An attacker may target specific vulnerabilities that a developer hasn’t successfully patched yet, or they may not use MFA currently and target services rather than the authentication process. 

So, what actions can you take to protect your business in addition to MFA? 

  • User Education 

Employee education and awareness is critical. Communicating clearly in your organisation that the responsibility of Cyber Security rests with everyone and having set practices in place puts you in good stead. Educating users about the risks of Phishing, Social Engineering and other common threats will help strengthen vigilance. Human error poses a massive challenge to businesses, as hackers will always seek to prey on human vulnerabilities. Therefore, educating your users means they are more likely to recognise and respond to threats in a manner agreed across the whole business. 

  • Monitoring and Incident Response

Implementing monitoring tools to detect unusual or suspicious activities in your Microsoft 365 subscription will help monitor threats. It is good practice to have a documented incident response plan which will allow your whole organisation to respond quickly to security incidents. The sooner you can spot and process a threat, the less damage it can cause

  • Regular Security Audits

Reviewing and auditing security configurations regularly is another key action you can take to limit the threats. Make sure to include Role Based Access Controls (RBAC), and least privilege methodologies to ensure they align with best practice. 

Summary

This blog isn’t a criticism of your faith in MFA, it is a valuable tool to have in your Cyber Security set-up and does provide a good layer of protection. However, on its own, it is not enough. We do advise using MFA as part of your security, but we would recommend looking at what else you can do to further protect yourself, your employees and your clients. To chat further about your Cyber Security setup, and where you can strengthen your defence, get in touch with our Cyber Security team.  

Want to learn more?

Read More