Additionally, a compromised e-mail account is often used by attackers to send out (frequently legitimate looking) phishing e-mails to other users within the same organization, and sometimes to customers and partners. This, in turn, can result in a string of additional compromises, and spread of a phishing campaign to other organizations. Once a compromise happens – and with many organizations, it’s only a matter of when, not if – you’re going to wind up playing “whack-a-mole” indefinitely until you get 2FA and other security measures in place. Until then, you’re going to keep doing password and account resets and responding to additional compromised accounts, wasting valuable time that could be better invested in other pursuits.
I know some of you are likely reading this thinking, “We know this already… there’s nothing really new here.” That’s precisely my point. As long as 2FA/MFA has been available, and as often as I’ve heard it suggested – and suggested it myself – as a best practice, I’m amazed that we still run into this as often as we do in the wild. But it remains a significant problem, and phishing outbreaks and compromises are something we still respond to on a regular basis.
If your organization is like most, you allow some form of remote access for your employees to access e-mail and other data in order to do their work from home or on-the-go. If you don’t have and enforce common sense password policies and a 2FA/MFA scheme in place to access that data, you’re putting your organization at risk, and will almost certainly be dealing with successful phishing outbreaks at some point.
By following these fairly simple security measures, you can significantly increase your organizational security, focus on other more pressing security issues, and save playing whack-a-mole for the arcade.