Press "Enter" to skip to content

Just how low is MFA adoption?

Security researchers at Coveware have released research indicating that there could be a decline in the number of overall attacks, but those victims pay a heavier price.      Researchers suggest that the increased risk of law enforcement involvement for attackers thus decreases the pool of cybercriminals because some will decide the potential for being arrested and extradited isn’t worth the risk.   However, while a decrease in the number of attacks would be a positive overall, it could potentially come with an unwelcome side effect – the cost of ransom demands going up, particularly for more minor high-profile victims.

Perhaps looking for lower-risk space, thenew Sugar Ransomware targets individual computers rather than corporate networks. Discovered by the Walmart Security team, this Ransomware-as-a-Service operation launched in November 2021 and appeared to be explicitly targeting consumers or small businesses. 

Microsoft released data indicating that only 22% of its Azure Active Directory (AD) customers used a multi-factor authentication solution to secure their accounts last year.  As a reminder, in August 2019, Microsoft also indicated that customers who enabled MFA for their Microsoft accounts ended up blocking 99.9% of all attacks.

The company has also announced changes coming to the use of VBA macros, intended to help block malware delivery, starting with Version 2203.     They will now be blocked by default. 

And after much delay, the new Cyber Safety Review Board is now operational as part of the Department of Homeland Security.   Their first case is the Log4J bug.     Patterned after the National Transportation Safety Board, the 15-member group was formed by executive order last year.  

Why do we care?

It continues to baffle me when I see the data around MFA.    There’s a tool out there that blocks 99.9% of attacks, and yet it’s not used.   

There’s a newly emerging risk calculus for the criminal side of the equation.  Note that activity isn’t going away; it’s shifting.   However, for those in SMB, it’s not great news, as it’s going smaller.   That line from individual to micro and small business is pretty blurry, so that’s the continued danger area.