June 2024 - Cirrus

Setting-up MFA: a Microsoft Azure legacy this summer

admin / June 28, 2024

Setting-up MFA: a Microsoft Azure legacy this summer. It’s the summer to set-up MFA. With Microsoft beginning rolling out its new MFA policy in July, it’s a topic that’s as hot as a heatwave across the technology landscape. Microsoft is blazing a path towards stronger security for all accounts, but two questions remain. Do users understand why MFA will provide cyber security solutions for them? Do they know how to set-up MFA? Microsoft Azure Microsoft Azure is a cloud computing platform that effectively gives its users access to a huge pool of computing resources that Microsoft provides. This means you can use the resources you need without having to purchase physical hardware. It provides a business resource which is affordable and scalable no matter your business size. You can add resources or remove them as required. It is a comprehensive business tool which has the potential to store large amounts of your business information and your clients’ information. Why is MFA being enforced by Microsoft? Updating defences and maintaining good cyber security is part of being a responsible service provider. Microsoft have conducted research into the need for this extra layer of cyber security in their own report titled, How effective is multi-factor authentication at deterring cyberattacks? The report found three key findings in its research: 17% of accounts that were “compromised” by cyber-attacks did not have MFA. Implementing MFA leads to a 99.22% reduction of cyberattack. In case where private information has already been leaked, the use of MFA leads to a 98.56% reduction in further compromise. Microsoft’s research highlighted some eye-opening results which have, in part, translated into the roll out of mandatory MFA for Azure users. The impact of MFA on account security was not only being researched by Microsoft. Independent MFA findings Other reports have been released using data gathered from different tests and the results present similar findings: Google actively participated in the Biden Administration’s Symposium focused on strengthening authentication for online security. At this Symposium Google describe MFA as “one of the most effective ways to reduce the risk of significant cyber incidents”. It has been independently ascertained that up to 80-90% of cyber-attacks can be prevented using MFA. Google released data in 2019 showing that by adding a second level of authentication to accounts you can: Block up to 100% of automated bots Block 99% of bulk phishing attacks Prevent 66% of targeted attacks. Microsoft’s research is not stand alone. The implementation of multiple levels of authentication is proven time and again to strengthen account security. This is leading to changes in how we are asked to secure and authenticate our online accounts as businesses and individuals. Government policy In the UK, the government brought in legislation on 29 April 2024 which mandated businesses to meet a password standard for smart devices connecting to the internet. This law demonstrates the need for stronger account security in a world where we use internet-based devices multiple times in our daily lives. The law was a world-first, an innovative and disruptive policy designed to bring change and security. Microsoft are doing the same and they have a well-publicised initiative which covers this ideology. Microsoft Secure Future Initiative In November 2023, Microsoft launched the Microsoft Secure Future Initiative in response to the increasing threat of cyber-attacks. Aiming to strengthen accounts in the face of increasing cyber threats the initiative covers both company practice and products. There policy is built on three pillars or ‘principles’: Secure by design: designing products with security at the forefront of the design process. Secure by default: Security is both enabled and enforced with no exception, no extra effort and no option. Secure operations: Through monitoring and security controls the dynamic nature of cyber threats will be met. Microsoft seek to develop and continuously improve security to benefit their company and their consumers. The decision to roll-out mandatory MFA this summer directly links to the initiative and to the principle of ‘secure by default’. The announcement On 14 May 2024, Microsoft posted this statement on their blog as the formal announcement to customers that MFA would become a mandatory part of account authentication. As you can see from the screenshot of the news direct from Erin at Microsoft, the rollout begins in July, which shows it will be a process. There are those who have criticised this move saying that users do not have enough time to respond; that change is being sprung on them. Mandatory MFA is a necessary change to protect users from the increasing threat of having their accounts hacked. This change could save business owners thousands of pounds, save countless hours of time in the event of a breach, and save their business’ reputation. This impact is being overlooked but why? Time and capital The assumption is made that this roll-out will require large amounts of time and capital given the value it brings to account security. The value of time when running a business is high. The allocation of capital for services is often planned for months in advance to prevent unexpected expenditure. It is therefore an unrealistic expectation to achieve Microsoft’s mandatory change in less than 6 weeks in the eyes of most businesses. Unless of course this assumption is false and the roll out is not time intensive or expensive. MFA is free and easy to do This security feature will add value to your business both internally and externally and best of all it is free to do so there is no capital expenditure involved. It is easy to do, and MFA can be set-up in less time than it will take to drink a cup of coffee. By following a few simple steps, you can protect your account. How to set-up MFA? MFA is an easy and free layer of security that you can set-up on your accounts. MFA set-up is usually a simple process as the MFA set up for Microsoft Azure will show. MFA set-up for Microsoft Azure This simple process

Blog

The disruptive power of AI in cyber security

admin / June 21, 2024

The disruptive power of AI in cyber security. Is it a friend or foe? Artificial Intelligence (AI) is disrupting the cyber security landscape. Providing advances for cyber defence, but also providing advances for cyber-attackers. AI is walking a fine line between being a friend or a foe for business cyber security. What is AI? AI is the acronym for Artificial Intelligence. AI is the simulation of intelligence that you would associate uniquely as a human capability, recreated within technology. IBM define it as “technology that enables computers and machines to simulate human intelligence and problem-solving capabilities.” No matter what your opinion is on this technological advancement, it is a tool which is being used and will continue to be used. It is changing the business landscape in many ways. Top AI benefit to businesses, according to Bing If you ask Bing what the main use of AI is in business today it will tell you that it is for improving customer service. Chatbots are the obvious way in which AI is being used to improve customer service. It is a form of AI you are most likely familiar with and will encounter regularly when reaching out to companies or browsing the web. Whether you view this advancement and interaction positively or negatively as a consumer is a topic for another time. For businesses, Chatbots provide advantages in efficiency, cost and analytics. In the cyber security landscape AI is being used because it brings similar benefits. Benefits to cyber security Forging defence systems which are more robust and responsive at the sign of attack is at the forefront of many current developments in cyber security. Traditionally cyber-security responses to hackers have been more responsive due to the scope of data being surveyed and the capacity of professionals trained in the field of cyber security. With the advent of AI and the huge leaps forward it has taken in the last few years, the technology is now at a point where the intelligence can be used to interpret data and algorithms on a greater scale than the current human workforce. Cyber security has two significant challenges which AI technology is providing solutions for: A skills shortage in cyber security professionals exists in the UK with 50% of businesses reporting a cyber security skills gap. A further 33% businesses also have an advanced cyber security skills gap. The scope of data which needs to be scanned and is spread out across an infrastructure which was not designed with cyber criminals in mind. The task is therefore enormous. Provides capability The amounts of data created from the use of complex infrastructure results in vast data piles which needs to be scanned for threats to prevent criminal incursions. Traversing the maze of infrastructure is leaving blind spots which are being exploited. In the past, defence can be described as reactive to an attack. It’s like being one step behind. AI provides the capability to be proactive. It provides the capability to spot unusual activity by a user once it is trained in what to look for. Cyber security defences need to respond quickly and not reactively to be more effective. Makes defence more effective AI brings the following capabilities to defence systems: Speed Precision An ability to sift through more data than a human can Continuous scanning It can learn what patterns to look for in data and spot unusual data patterns. Speed and precision are key to being effective in defending against cyber-crime and AI provides that capability for defence systems. The unending ability of the machine once it has learned to detect unusual data patterns means that defences are actively checking for breaches constantly. Detects Patterns Being able to highlight the unusual data patterns and then flag them, allows the humans assessing data to be more effective in their roles too. They are checking data which is identified as being unusual which means that hackers on a system are more likely to be identified earlier. This will prevent more attacks from escalating and impacting business operations. It must be said that things will still slip through, but the use of AI in this field has a positive wider reaching impact. Businesses will have more robust security systems and fewer holes which can be exploited. The use of AI is not however all positive for businesses. AI has not only changed the defence landscape; it has also changed the attack landscape. Changes to the attack landscape AI has armed cyber criminals with a whole new arsenal of tools which are more efficient, more believable, and readily created and replicated. So while defences have strengthened, attacks have improved. The main reason for this is the exploitation of generative AI by cyber criminals, a tool which many businesses are also taking advantage of. What is Generative AI? Generative AI is when artificial intelligence is used to create content. The artificial intelligence follows parameters provided by a user to create content. Content can be pictures, words, music, songs. Generative AI is creating media in personal and professional life, but it is not only being used for lawful purposes. Cyber criminals are utilising this tool, and it is the success and scope of their cyber-attacks that is creating the challenge to cyber security. Challenges to cyber security Cyber-attacks are increasing. In 2024, it is currently expected that the cost of cyber-attacks will reach a total of $9.5 trillion globally. This is a cost which is only expected to rise as attacks become more sophisticated and convincing. Generative AI is arguably the tool which is going to give cyber-criminals that extra convincing edge. The 2024 cyber security breaches survey conducted by the government shows that 50% of businesses have experienced a cyber-attack in the last year. Of that 50% of businesses attacked, a huge 84% of breaches were done using phishing. Phishing Phishing is a type of email cyber-attack which appeals to human emotions. Phishing attacks use deception, combined with an emotive appeal to human emotion to hook

Blog

The disruptive power of AI in cyber security

admin / June 21, 2024

Blog

The solution to your business’ password problem is here

admin / June 12, 2024

The Solution To Your Business’ Password Problem Is Here By Helen C June 2024 The password problem Since the dawn of working online and in apps we have had to remember passwords. And we’ve created some interesting password solutions to remember them: The sticky note – writing our passwords down and sticking them to the monitor on our screen The sneaky aide memoir – the password list in the back of the diary, the piece of paper strategically kept in a bag One size fits all – Using the same password for every single account. The parrot – password, password, password, password. Easy – 12345, qwerty, asdfg Most of us will be guilty of using one of these methods at some point in time. Or we know someone who uses them. The problem is this method of facing the great password conundrum is leaving your business systems and applications vulnerable to being hacked. The solution we love to ignore We all know that we should have a different password for each app we use. They teach it in schools, it’s part of good business practice. Some of you might even be nodding along thinking you don’t need reminding you know the password solution. While also having a sneaky ‘password’ password lurking in your account portfolio. It is a simple solution to remember: You know it. You know the formula and are fed up with being told the formula. You understand it is the solution to safeguarding your systems and information. Yet, the statistics say something else. 5 startling stats about passwords 44% of employees say they use the same password at home and at work. The National Cyber Security Centre finds in breach data that 23.2 million people who have been victims of cyber-crime globally all used the same password: 123456 81% of security breaches, according to Verizon statistics, are due to poor password management. 3 in 10 UK businesses have no password policy The most common cause of cyber attack is through compromised credentials. It’s responsible for a huge 61% of malicious breaches. The statistics show that there is something more to understand about passwords. Currently, most businesses do not have passwords that are secure. Businesses are vulnerable to cyber-attack. Businesses and their employees keep repeating the practices they know they shouldn’t, and it looks like they are stuck in a loop with passwords. Getting out of the loop Many businesses struggle with feeling as though they are potentially sounding patronising and insulting the intelligence of their team when discussing passwords. This is often particularly true if you employ a large percentage of people who are Millennials and Gen Z. You may assume they are tech savvy and know how to create their own secure passwords. That assumption is however the first part of the cycle that needs to be broken. What makes a secure password? Educating yourself and your team about what makes a secure password is good business sense. A secure password is: A minimum of 20 characters long Uses a random combination of letters, numbers and special characters Does not use personal information or phrases that would be easy to guess, like your birthday or the name of the pet who is all over your Instagram page. Is not repeated across accounts. This may seem like a somewhat daunting and unrealistic proposition to implement for your team. Asking them to create and remember a password that meets these criteria for every account your business has – it’s a lot. You may be thinking that it is too much to expect your team to use and remember. Perhaps that is the reason why passwords pose such a problem. An actionable solution for your team to create and maintain secure passwords is the solution. Positive and proactive wording of clear steps to be followed are easily managed solutions you can implement as a business. Have a password policy A password policy removes the assumption of employee password knowledge from your business by providing a framework for password use and creation across all accounts. This strengthens your business’ security by securing vulnerabilities in the passwords protecting your accounts. Password policies provide a set of guidelines which your team must follow. It is an essential step to take so you can avoid being part of the 80% who attribute their data breaches to weak password security. Figures like this leads to password policies sounding rather severe. Example of a typical password policy A typical password policy will often use the following styles of phrases and include the following: Implementation of long passwords with a minimum length of 20 mixed numerical, upper and lower case and special characters Every account needs to have a new and unique password which meets the standard laid out in step 1 Multi-factor authentication (MFA) Prohibition of the reuse of business passwords Prohibition of common words and phrases Update passwords often Team updates will be given regularly These are all necessary and valid steps for creating a password policy. The steps are essential for good password hygiene, but they still present challenges. Password policy challenges Password policies are a minefield of do not statements and requirements, which in themselves provide challenges for implementation and employee uptake. The challenges: They are negative and off-putting to implement There are a lot of steps to follow The employee is

Blog

What is MFA? Why is it important?

admin / June 5, 2024

What is MFA? Why is it important? What is MFA? MFA is an acronym for Multi-Factor Authentication. It is the term people in the IT world use to describe the process of a computer checking your identity in more than one way before it lets you into your account. The terms are however important to understand, as they help you to better understand how MFA works and why it’s important. A deeper look at what MFA means You might be sitting there thinking that you know exactly what ‘multi-factor’ means. You could well be right, so let’s skip defining what ‘multi’ means. Just to be thorough, and because we are going to talk about factors in a bit more detail, let’s take a look at what ‘factor’ means in IT semantics. A ‘factor’, in the context of authentication, is a way of defining your identity. The password you type into an account to log-in is one factor through which a computer confirms you are you. It is the most common factor used. Confirmation of the password grants you access into your account. The computer has authenticated your identity through the combination of your username and password matching. This is the ‘authentication’ process. With MFA, you use more than one factor to confirm your identity alongside your username. MFA uses a combination of three factors to confirm your identity, all of which are interlinked and about you, so you will know them. Three factors By using all or a combination of options from these three different key factors, MFA provides a more robust protection system for your data. 1: Know This is the password, pin, security question or other form of identification that you are most likely already familiar with and using to access your online accounts. If you want to manage this and save some brain space, we recommend using a password manager to keep your passwords safe. 2: Have This is something that is in your possession and that you directly link to your online account. It will most likely be the device that you log-in on or something that you are given by a business to use as part of a multi-factor authentication process. 3: Are This is you, something that physically defines who you are. This includes a fingerprint, retinal scan or facial recognition, all of which are intrinsic to you. You don’t have anything to remember and many of us are already using this form of authentication every day as part of our internal phone security. That sounds unnecessary You may now be wondering why on earth you would put yourself through the stress of trying to remember more. For every account you have using more than just a password to log-in may feel daunting. The prospect of taking more time to log-in and taking-up more brain space to remember extra steps which you worry you might forget is perhaps the reason you don’t think MFA is the best-fit for your business. If you’re thinking it isn’t for you right now, you need to read on. It is for you. MFA is necessary. It’s also really easy to do. 3 Statistics about the impact MFA 1: MFA has been found to block 99.9% of automated cyber-attacks in 2023 according to statistics. 2: Weak or stolen passwords account for 80% of cyber breaches. MFA adds layers of security to your password so one weak or stolen password will not give access to accounts. 3: 67% of customers in the UK believe that companies who use MFA care about the protection of personal data according to recent statistics. Why is MFA important? MFA plays an important role in the fight against cyber-crime for both individuals and businesses. It is an easy step you can take to protect your accounts from being easily hacked by cyber-criminals. If they have your username, which let’s be honest is often just your name or your email address, they only need to guess your password to gain access. Once in they have access to your personal data. Do you have faith that your passwords are strong enough to defend against a hacker? If the answer is maybe, read on. Did you know that cyber security experts across the world have found that in every second there are an average of 530 signs of a potential cyber-attack? That’s a whopping 46 million indicators of potential cyber-attacks in just one day. Protecting yourself and your business from the ticking clock with MFA is usually free. It is normally something you can turn-on in the settings of your online accounts. No extra cost to you or your business. It’s just a choice you need to make. Then an action you need to implement. Take a look at the following statistics which demonstrate an interesting parallel between businesses and cyber-attacks. 2 statistics you should not ignore: 1: Over 68% of people surveyed did not use MFA where it is available. 2: Half of business surveyed by the UK government in 2024 have experienced some form of cyber-attack in the last year. It is interesting to look at these statistics and consider what impact there may be on the second statistic of people began using MFA as part of their cyber security policy. How does MFA work? To describe how MFA works and why you should use it, let’s use an analogy. Your password is the lock you use on your door to gain entry to your house – the place you keep all the information that belongs to you and that you are responsible for looking after. Using one password is like having one lock. If your password isn’t very strong, it’s like using a padlock on the front door to your house and hoping you won’t get robbed. The weaker the password; the flimsier the padlock. If you’re using the word password for your password, you’ve forgot the lock entirely. The chances of a thief gaining access to your home and robbing you is high.

Blog

What is MFA? Why is it important?

admin / June 5, 2024