One of the easiest ways to better protect your networks and systems is by implementing multifactor authentication (MFA). This is the process of asking your team members to provide a second set of credentials to access your system. It’s one of the most basic things you can do to secure Office 365. Despite this fact, many companies opt not to use it. Why is that?
For some, it’s an added burden placed on the end-users. Ultimately, once users get the hang of it, it doesn’t take much longer than single-factor authentication. But getting used to the new process can be troublesome for many at first. For others, it can be difficult getting executive buy-in. After all, if the CEO doesn’t want to do something they consider an inconvenience every time they log in, they may rule against it. If CEOs see it as a mere annoyance, they may be hesitant to see it implemented company-wide.
These challenges don’t make it any less critical to implement.
Lack of MFA
For evidence of how a lack of MFA can damage an organization, look no further than the recent Colonial Pipeline cyber attack. The malicious actor exploited an outdated Virtual Machine that had - you guessed it - single-factor authentication. This didn’t just hurt the company - it led to a fuel shortage that affected a significant portion of the country. It’s not an understatement to say that one organization’s lack of MFA usage nearly crippled the U.S. economy.
Let’s take a closer look at the steps you can undertake to deploy MFA within your organization and get full buy-in from both your leadership and your employees.
Step 1: Get Leadership Buy-In
For ANY IT initiative, you’ll want this to be your first step. If you’re going to make any change to the way your organization does business, you’ll want - and definitely need - to get your executives or board of directors to buy-in on the decision. If leadership sees this as an inconvenience, it can kill your MFA efforts before they even get started. That’s why you’ll want to clearly explain the value proposition to your leadership of how MFA can help your company avoid losing money. Help them understand why this simple act can decrease the risk to your organization’s data security exponentially. MFA reduces the risk of potential identity theft by over 99.9% compared to simply using a password. Include your CEO and other leaders as champions during your planning process either to look for them for guidance or just to keep them informed. Developing a short email or basic executive summary for your CEO might be valuable in giving them a quick explanation for why this is so important.
From there, you’ll want to evaluate your solutions for implementing MFA. Determine which platforms are easiest to use and are most compatible with your existing IT solutions and use those.
Step 2: Educate in Advance
When you make a big change, you don’t want it to come as a surprise to your staff. Educate them on why you’re making the change and what they’ll need to do well in advance of when you decide to deploy it.
Communication is critical here. Overcommunicate and be transparent when you do. Develop a short, simple email explaining why you’re doing this and what your users need to do. Keep this brief. Security may be a point of passion for you, but your teammates are busy people. The email should be less than 300 words with brief, bulleted lists. If you have a “how-to” video or another short video explaining MFA, this can be helpful to include as well.
Here are some facts you can use to persuade your teammates as to why this change is necessary:
- You can discuss the dangers of Business Email Compromise (BEC) scams, phishing, ransomware, and the damage that can be done via data loss.
- 1.2 million Microsoft Enterprise accounts are susceptible to being compromised every month, with 99.9% of those accounts not enabling MFA.
- As noted above, MFA can stop 99.9% of cyber attacks.
Additionally, give your users a clear timeline for the deployment. Tell them your company’s leadership and IT team will be first up for deployment, followed by test groups, culminating with the company-wide rollout.
Tools and Timeline
You’ll also want to demonstrate the tools they can or may use, such as:
- Microsoft Authenticator (Microsoft’s application built specifically to assist with authentication that’s easier to use and more secure than SMS-based authentication)
- Biometrics/FIDO keys (if needed) and how to use them.
Create a communication schedule to stay in touch with your teammates. Below is a sample timeline you can use to provide regular updates:
- 8 weeks to launch: Email explaining what, why, and when
- 4 weeks to launch: A follow-up email reminding them when and why
- 2 weeks to launch: Another follow-up reminding them when and steps they need to take to get ready
- 3 days to launch: One final reminder of when and what they should expect to happen
- Day of launch: Information on how to use MFA as well as training on why they should not authenticate when unsure of the source requestor
Does that seem redundant? Good - it should. You’ll want to bake in plenty of reminders to your communication process to ensure you catch all your team members at some point. Sending one email isn’t enough.
Step 3: Pilots, Alpha, and Beta Rollouts
You don’t want to execute the entire deployment in one shot. You can participate in a staggered rollout of conditional access and MFA in stages. This gives you the opportunity to receive feedback from multiple groups of people, getting different perspectives on potential challenges. It gives more integrity to your process once you’re ready to launch it within your larger organization. It makes your MFA process “battle-tested”.
Your pilot phase will include IT administrators. This will allow them to anticipate issues that may arise, test and gather feedback, and put together some frequently asked questions they think they’ll receive once deployment begins.
The alpha phase should include the IT department and another group of technologically savvy “beta group” users. You’ll use this crew to perform even more testing, getting more valuable feedback on the MFA process.
Finally, the beta phase will include privileged and high-risk accounts. These are accounts with a higher risk profile who have access to potentially sensitive, Controlled Unclassified Information belonging to the company. An example of this would be financial records. Once again, you’ll use this group to perform additional testing and gather feedback from a new set of users with a different user experience.
Step 4: Organization-Wide Rollout
Now you’re ready to move to a company-wide posture for your deployment. Here, you’ll choose the most logical progression for your team after the testing phases are complete. It may make sense to roll this out with one department before moving to another. If you have several office locations, a geographically staggered rollout may be the way to go. Assess your company’s culture and make the decision that makes the most sense for you and your organization.
Step 5: Monitor and Modernize
[caption id=“attachment_163584” align=“aligncenter” width=“640”] Confident IT personnel using a smartphone in the office.[/caption]
Once the deployment is underway, it’s on you and your IT team to closely monitor progress. Pay close attention to alerts for the first few weeks. You may need to tweak any rules that users find too burdensome or inconvenient. There has to be a compromise - while everyone knows MFA is going to be challenging no matter how it is implemented, you can’t interfere with your teammates so much that it disrupts their workflow.
Provide a listening ear and be compassionate when people talk about MFA as a challenge to their workday. This can be true. It changes the order of how many people do things and can be hard to adapt to. Recognize this while stressing the importance of the move, and commend your team for valuing their security by cooperating.
At this stage, attempt to identify potential causes for “over-alerting.” For example, opening browsers with more than one application may give your users problems. If you find this to be true, communicate it clearly to your team members as soon as you realize it’s an issue so they can get ahead of it.
There are some great MFA and conditional access productivity features and tools Microsoft offers that can help as well, such as:
- Passwordless authentication. Remembering a long password can prove difficult. Sometimes, alternative authentication methods are easier.
- Self-service password reset (SSPR). Forget having to contact a helpdesk every 60-90 days to change your password (though the best practice is to not let your passwords expire in the first place). This feature requires MFA to reset your password. If you need to call a helpdesk, you’re potentially exposed to social engineering. SSPR circumvents this vulnerability.
- Single Sign-On (SSO). Along with MFA, SSO is one of the most effective measures you can take against security threats.
- Break Glass Accounts. These emergency access accounts are useful when MFA is unavailable due to issues like network outages.
It’s true that MFA can be challenging for users who are new to it, but that doesn’t mean it has to be impossible. With clear communication, patient troubleshooting assistance, and close monitoring of how your team is adapting, you can implement a process that keeps your organization more secure without disrupting your team. If you are looking to adopt a more secure approach to managing identity, security, and productivity, to meet modern cybersecurity and compliance requirements find out how we can help with a free consultation.