Getting Oversubscribed and Fed up

Our love-hate relationship with Microsoft – and Apple and Google – is coming to a head. Our beef right now focuses on Microsoft and its hard push to get users to adopt the New Outlook. It’s the default for Microsoft 365 subscriptions, and it’s not as feature-rich as the Old Outlook, which Microsoft calls Classic Outlook. Subscription prices are another issue.

Let’s get one issue out of the way. We like subscriptions for application software, such Microsoft 365. They provide regular updates and bug fixes automatically, either periodically or as needed, to make sure you have the latest performance and security features. As we use the cloud more, these updates become a bigger benefit.

Our beef with Microsoft is with the New Outlook. In our opinion, Microsoft is pushing us into a new system that has fewer features than the one it replaced. We recently covered the differences between Old and New Outlook, and we invite you to revisit that article. Microsoft essentially forced us to go with New Outlook before it was ready for prime time. It may be faster, but Microsoft took away many features in the new version. It seems like they made the move for their own convenience, not for the betterment of its customers. They say they will restore some features, but we have to ask why they didn’t get in all the features before they rolled out the new version?

You can go back to the Old Outlook by clicking on the Help tab along the top of your screen and then clicking on Go to Classic. But it’s not a simple toggle-back-and-forth process. It takes some time, which you may not have when trying to get a lot of things done.

You really don’t have a lot of choices. Most organizations are locked into Microsoft 365 for email (Outlook), its suite of Office products (Word, Excel, PowerPoint, etc.), and the collaboration enabled by OneDrive and Teams. Everyone knows how to use the apps, and businesses, non-profits and governments know how to support them, either through internal tech departments, IT consultants or both.

Microsoft knows they have a firm grip. If they maintain the best possible security measures for their customers, they can get away with fewer features to support while raising prices. They’ll add features (and support them) when enough customers kick and scream or when another software provider threatens a piece of their market.

We can help you on the economic side by analyzing all your Microsoft and other application subscriptions to see where we can eliminate duplications of licenses or scale back some to meet your needs more efficiently. There’s no need to be oversubscribed. Call us – 973-433-6676 – or email us to set up an appointment.

Turn on 2FA with Microsoft 365

If you’re using Microsoft 365 without two-factor authentication (2FA), you could have a basic security problem. Cybercriminals are taking advantage of a loophole in Microsoft’s Basic Authentication, an outmoded system doesn’t require extra security checks, like a second password or a verification code sent to your phone. Here’s how to harden your system.

Hackers are using a method called “password spray and pray,” where they try common passwords across many accounts, hoping for a match. Security researchers have discovered that a botnet of at least 130,000 infected devices is being used in this attack. The hackers use non-interactive sign-ins, a method commonly used for automated logins between services. Because these logins don’t require human interaction, they often bypass 2FA protections, and many security protocols don’t pay much attention to them.

While Microsoft is phasing out Basic Authentication, it will still be partially active until September 2025. The threat is immediate and serious.

If you have a website, experts urge you to disable Basic Authentication and monitor non-interactive sign-in logs. You should also adopt access policies based on location and device security to restrict logins from unknown locations or requiring extra security steps for an unfamiliar device. Enabling multi-factor authentication (MFA) or certificate-based authentication would require users to verify their identity with a second factor, like a phone code or fingerprint scan. Even if hackers steal a password, they still won’t be able to access the account without this extra verification.

On the user side, eliminate multiple-use passwords. A password manager makes it easy to generate long, unique, complex passwords that are extremely hard to hack. And if a hacker does happen to hit one, it’s highly unlikely they’ll get another one.

If the websites you use require 2FA, we suggest using your password manager to set up a six-digit token through your phone’s authenticator app. With a cell phone, you can use facial recognition or fingerprint for authentication. And there’s still the six-digit code sent to your phone as a text message or an email.

We can help businesses and individual users upgrade or improve their online security. Call us – 973-433-6676 – or email us to talk about your needs.

Is ‘Zero Trust’ in Your Future?

The words “zero trust” in Zero Trust Network Access (ZTNA) are probably appropriate in a time when it seems like we don’t trust anybody about anything. ZTNA is being touted as a replacement for VPNs (Virtual Private Networks), especially for remote business needs. It could be more effective, but small businesses will need to jump through hoops.

ZTNA is a technology designed to limit who can access a network and where in the network they can go. The limits are important. For example, anyone who can access a Microsoft 365 network as a global administrator can effectively play God; they can do ANYTHING.

The goal of a ZTNA is to keep out false gods. Its proponents tout the following benefits:

  • Invisible infrastructure: ZTNA allows users to access applications without connecting them to the corporate network, thereby eliminating risk to the network.
  • More control and visibility: Managing ZTNA solutions is easy with a centralized admin portal with granular controls. Managers can see everything and create access policies for user groups or individual users.
  • Simpler app segmentation: Because ZTNA isn’t tied to the network, organizations can segment access down to individual applications instead of complex network segmentation.

Proponents further contend ZTNA is faster and more convenient than VPNs, offer better security, and are easier to manage. Gartner, a technology and research consultancy for large corporations and government, predicts its client base will largely phase out VPNs for ZTNA.

If you’re a small business or nonprofit organization that deals with large companies and government agencies, you may need to learn how to live in the world of ZTNA at the very least. If you want to adopt for your own use, you’ll need to answer some risk/reward questions:

  • Do you need a Ft. Knox type of defense system?
  • Are you willing to build new access systems to maintain your current business process?
  • Are you willing to take on the learning-curve risks of implementing a new security system?

There are no cookie-cutter solutions to changing your security measures. Call us – 973-433-6676 – or email us to discuss the specifics of ZTNA, especially if you need to use it to comply with another organization’s directive. We can help you design and implement a plan that minimizes your risk as best as possible.