Fundamental for companies to implement multi-factor authentication: Microsoft’s Mary Jo Schrade


While the last two years of the pandemic have accelerated the adoption of digital technologies globally, it has also brought to light a new set of cybersecurity challenges. Reports of ransomware attacks, data theft, phishing attempts, etc. showed how vulnerable businesses and users are to these threats. The latest wave of large-scale attacks was reported in March this year, led by the Lapsus$ group, which managed to infiltrate the network systems of several large companies, from Nvidia to Samsung to Microsoft.

So what are the digital best practices that businesses can adopt to keep themselves secure today? Mary Jo Schrade, Assistant General Counsel and Regional Head of Microsoft Digital Crimes Unit Asia spoke with on cybersecurity issues and best practices to stay safe. Edited excerpts from the interview:

Q) What are the main challenges businesses are facing in the post-Covid world?

MJ: The pandemic has accelerated the shift to allowing remote work. IT departments now have to manage not only their own infrastructure, but other things as well. For example, if you access your work email on your mobile phone and it is not managed by them, this is a risk. Even something as simple as the router you use at home can pose a risk to your business if you don’t update the router’s firmware when updates are available. Or if you don’t change the access password which might initially have such as 1234 for a more secure password. You then create vulnerabilities in your home when you access your employer’s network.

Businesses face multiple complexities today. Even though larger companies have more staff to handle these issues, the complexity has increased so much that it is very difficult to manage. And small and medium-sized businesses have an even tougher time when they don’t have their own staff to deal with these issues.

Q) We’ve heard a lot about ransomware being used against organizations with attackers stealing data and often erasing it. Can you elaborate on the extent of these issues and how can companies defend themselves?

GM: We have seen an increase in the number of attacks as well as the size and sophistication of attacks. This remote work has essentially opened up more entry points for attackers. Sometimes these incidents lasted a long time before the company realized that someone had infiltrated its systems.

We see people getting into supply chain attacks where they go to a supplier of a company and take advantage of the fact that they may not be as well protected as the main company.

Mary Jo Schrade, Assistant General Counsel and Regional Head of Microsoft Digital Crimes Unit Asia. (Picture via Microsoft)

But what is fundamental, regardless of the types of attacks, is that companies implement multi-factor authentication for their company and for everyone in their company. You only allow what is called “least privileged access”. This means that if you as an employee want to access your employer’s data, this is assessed individually each time.

You make sure everyone uses multi-factor authentication and that you use it in the most reliable way. For example, you may have heard of criminals using swapping SIM cards from people’s cell phones as a way to essentially engage in multi-factor authentication on behalf of the target. If you use different types of multi-factor authentication and there are plenty of options, including facial recognition, overlaying information, such as your location, and other factors, you really might have an effective way to protect yourself.

The criminals are better, but the means of protection are also better, and they are very effective.

Q) So what exactly does it mean when you talk about multi-factor authentication and why does it have an advantage over traditional two-factor authentication?

MJ: Two-factor authentication on a phone can protect, but it can also be circumvented by SIM swapping. For example, a cybercriminal gets the number transferred to his phone by tricking a mobile company’s help desk or something.

But if you have other factors in place, including the location of the computer trying to connect, that can be solved by multi-factor authentication. Also investigate any other anomalies with the device itself and how the device presents itself to your system. And that’s sometimes the reason why when you get a new device, you may find it difficult at first to access some of the sites you normally access because they don’t trust your device.

It is these layers of security modes that ultimately have impact and protection. So Windows Hello that we use where it’s a facial recognition thing. If you have that in addition to something else besides phone or device, device health, those things can also be used in order to have multiple authentication factors.

Q) In the context of the Lapsus$ attacks, it has been reported that they used insider help to break into some of the networks. So what are the lessons for organizations in such scenarios?

MJ: You’re right, they obtained credentials apparently through vendors or other means that they advertised. This would be a good example of where they could bypass multi-factor authentication through a cooperating person.

Again, least privileged access would be what would protect you because you won’t allow everyone access to everything. And that way, it would be very difficult for them to get in through an insider threat and then move around your network because whoever was cooperating with them wouldn’t have that access.

Q) How does moving to the cloud help better protect businesses?

MJ: One of the reasons for moving to the cloud is the protection it offers. And this is especially important for small businesses. If you can’t have your own staff, at least if you’re moving to the cloud, you’re kind of outsourcing a lot of what your staff would be doing by protecting you with the cloud, looking for anomalies, and reporting things.

India has many small and medium enterprises, and this may be their way of trying to tackle all these challenges when they themselves are not experts. So they are turning to the cloud to allow them to have the protections of a company that examines billions of these signals. For example, at Microsoft we look at signals that are interpreted by machine learning and artificial intelligence and we have 8,500 security people who work on cybersecurity alone.

What we’re starting to see is that people who have kept their systems on-premises are realizing that they’re more at risk because they don’t have these automatic updates and so on.

Q) There have also been reports of hackers accessing the source code of products, including some at Microsoft, such as in the recent Lapsus$ attacks. How serious of a risk does this pose?

MJ: In the event that they had access to our source code, there was a vendor account that was apparently compromised. And can you imagine what the source code should look like? It’s millions of lines of code. Each product has its own source code. And so if anyone were to have access to the source code, that alone wouldn’t allow them to do anything to compromise.

Microsoft recognizes that we cannot rely on source code secrecy to protect our customers. The reality is that even if you had access to a company’s source code for a particular product, the company would know what you had and would make the necessary changes to remove any benefit gained.

I also don’t think it’s something that will impact people as much as implementing multi-factor authentication and protecting your business by being in the cloud. These are the things people should think about the most. Educate your employees on threats, implement multi-factor authentication, and more. Nothing else will matter as long as you stick to the principles and make your updates and patches in a timely manner.


Comments are closed.