Story time! This happened just this month and is a true story. A new small business owner contacts and brings us in because their clients, vendors and basically anyone sending them an email was receiving a bounce-back message saying "our email box is full". The odd thing was, they would still get the email messages!
After some basic troubleshooting, we discovered the email address in the bounce-back message that "was full" was actually completely different from the client's actual email address, one the client didn't recognize at all. So we logged into their account dashboard and discover an automatic forward had been set up to forward a copy of every single email the client received to this foreign email address. This foreign address' mailbox was full and rejecting the messages.
Unfortunately for the client, they were using a very basic ISP-hosted email account and the ISP didn't offer any sort of protections other than basic username/password authentication meaning it was trivial for the person who gained access to the account and set up the email forward to do so and silently collect all the communications sent to it including invoices, client communications and more. This business will likely be feeling the effects of this breach for months if not years to come.
This story has two morals: The first being it doesn't matter how big or small your business is, criminals don't care: This business was a single-person startup, barely getting off the ground. The second moral is, if you don't have Multi-Factor authentication set up on your email and other important accounts, it's long-past time to do so. MFA would have prevented this story from being little more than a footnote.
Google, Microsoft leading the push
It's no coincidence that both Google and Microsoft have recently announced the removal of what is called "basic authentication" (ie: just using a username/password to sign into your email account) and will be enforcing MFA on all accounts, both personal (Outlook/Gmail) and business (Exchange Online/Gsuite).
There are very few things today which require basic authentication. Most people and businesses only use it out of convenience. Unfortunately convenience, as seen in the story above, can carry a very heavy price.
Make MFA a default company policy
Having MFA enabled for email accounts is an absolute no-brainer. If, for whatever reason, your email system does not support MFA, like in the example above, it's time to change email systems.
But MFA can and should be used for much more than just email. Many business apps today are cloud/web based and can support MFA as well. Hosted software like QuickBooks Online to CRMs like Hubspot or Mailchimp all support MFA and, in some cases, require it.
Making MFA a standard business policy and practice can help you ensure a secure operating environment. Evaluating a new software currently? Put MFA on your list of requirements. This type of security-first mentality can help avoid headaches and heartbreaks later on.
Not sure how to get started with MFA or how it works? Lucky for you we've got an article for that. Need help setting up or evaluating other areas of your business IT? We can help with that too. Just click the button below to get started.