Microsoft’s decision to stop supporting legacy systems (older systems which have been in place for a while) on its Office 365 platform from October was announced a week or two ago. This will likely have passed most of its users by, but come the autumn many companies will wish they’d paid a bit more attention. Especially given the fact that they may just be returning from a Coronavirus situation and have other things on their minds.
To summarise what this means: if you’re using a version of Microsoft Office that was produced before 2013 you won’t be able to use it without upgrading to a newer version. And before you get annoyed that this is going to impact you, yes they can do that and, in actual fact, it’s for your own good.
“Microsoft has been fighting the bad guys for a number of years,” says Nutbourne’s Technical Director Patrick Burgess. “Serial spammers, hackers, phishing attacks. Phishing is huge at the moment.
“The best way they have found to combat these kind of attacks is to enable multi-factor authentication (MFA) – so for example an email password and a pin sent to your mobile device, much like a bank would do.
“The problem Microsoft has is that Office 365 has supported a lot of legacy systems and allowed them to communicate. And because of the way they communicate, it allows hackers a route into your account through the backdoor, even if you are using MFA. Microsoft feels that it doesn’t have much of an option other than to essentially force users to adopt its modern authentication method.”
Necessary steps
While it seems like an aggressive move from Microsoft, it is not without good reason. It goes without saying that the more sophisticated tech gets, the more sophisticated the attacks become – and in recent years said attacks have become much more varied and complex.
At a recent conference on Cyber Security Solutions, Microsoft engineers highlighted the fact that 99.9% of the attacks it detected could have been prevented by using MFA. This is a huge amount considering that only 11% of O365 users had turned MFA on. Some people still have no idea how to turn it on. This comes amid a growing trend for hackers to use a method known as spraying, a technique during which an attacker picks a common and easy-to-guess password, and goes through a long list of usernames until they get a hit and can access an account using said password.
“It’s very common now for people to receive phishing emails that look like they’re from genuine sites,” Patrick adds. “That email will contain a link that diverts you to a login screen that looks genuine. The site will ask for your password details, tell you they’re wrong and get you to re-enter them. The fake site will then re-direct you to the real site having harvested your login details.
“It means that hackers can now, at their leisure, log in to your Office 365 accounts using your details, which is where the mass mailouts from your account come from, or where financial departments are targeted with genuine looking but fraudulent invoices, for example.” It is for reasons such as these that, what at first seem like draconian measures, taken by Microsoft, are so imperative for the future of cybersecurity solutions.
Spoofing
Marcus Evans, Managing Director, adds: “Another thing to consider, which is outside the scope of office 365, is to tighten up your financial controls. The old days where an MD could send an email to the accounts team telling them to send thousands of pounds somewhere, with no invoice or approval mechanism should be long over. If you still operate in a similar way, then its time to reconsider your financial set up, as well as your office 365. In instances, such as these, it’s worth considering cybersecurity managed services.
“We have seen emails go to the accounts team spoofing the MD’s address. So unless you knew what you were looking for it was indistinguishable. Companies have paid this amount without thinking, and then you are in real trouble. That client never did it again, and changed its system, but its much more sensible to get in before the horse has bolted.”
Business backlog
As a business, Nutbourne has been advising that its clients should turn on MFA and disable legacy systems communications – which if done together bring a huge security boost to Office 365 and reduce the breach threat and risk to a ‘99% chance you won’t get hit by the more common forms of attack.’
Naturally there is a fair amount of resistance among the business fraternity. Microsoft engineers said at a recent conference that of the 1.2million or so breaches it had logged in January 2020, only 11% were using MFA. According to Patrick, it’s a similar story among those he speaks to.
“A huge amount of businesses haven’t done this because it’s regarded as a bit of a faff. Turning on multi factor authentication is an additional level of complexity, and it’s likely they don’t want to confuse staff. But the knock on effect of that is breaches security, for which Microsoft is starting to get a bad reputation.
“And in turn, there’s a lot of noise about breaches – purely because of the company’s size. They have now reached a point where they can’t allow this to happen anymore because it’s damaging for them and damaging for their clients.”
For Patrick, it’s very much a case of short-term pain in return for long-term gain. There’ll be a big initial impact for anyone running Office 365 or for operating systems or client software that use legacy systems. Everything from laptops to desktops, phones to printers and scanners will stop working if it’s not configured correctly. While there are workarounds, these will take time. The advice is to prepare now and get ahead of the curve. As cybersecurity solutions go, it’s a simple one, but it’s an imperative one.
“It’s the sensible thing to do. Why react in October when it’s too late? That will simply cause unnecessary disruption. Even those that do have an operating system that currently supports MFA but are using legacy authentication will need to upgrade because all users will come into work and find they’re getting impacts and warnings.
“And the business impact will be huge. People need to think about this because October will come around and they won’t be prepared. Microsoft won’t let this slide because its’ costing them too much and they can’t allow it to go on. Across our client base we are pushing this upon all our clients and we talk about it daily, weekly, monthly with clients – and it will make their lives and our lives easier.”
Is legacy authentication disabled and MFA enabled across your business? Its certainly worth checking given the October deadline. If you’d like to find out more about Nutbourne or any of our cybersecurity managed services, then get in touch today! Call us on 0203 137 7273.