Fundamental that companies put in place multi-factor authentication: Microsoft’s Mary Jo Schrade

Mary Jo Schrade, Assistant General Counsel and Regional Lead at the Microsoft Digital Crimes Unit Asia, spoke to about the issues related to the cybersecurity domain and how businesses can protect themselves.

While the last two years of the pandemic have accelerated the adoption of digital technologies globally, it has also brought forth a new host of cybersecurity issues. Reports of ransomware attacks, data thefts, phishing attempts, etc, have showcased how vulnerable companies and users are to these threats. The most recent spate of high-profile attacks was reported in March this year, carried out by the Lapsus$ group, which managed to infiltrate the network systems of several top companies, from Nvidia to Samsung to Microsoft.

So what are the best digital practices that enterprises can adopt to keep themselves secure in today’s times? Mary Jo Schrade, Assistant General Counsel and Regional Lead at the Microsoft Digital Crimes Unit Asia spoke to about the issues related to the cybersecurity domain and best practices on staying safe. Edited excerpts from the interview:

Q) What are the key challenges that enterprises are facing in the post-Covid world?

MJ: The pandemic accelerated the move to allowing remote work. IT departments are now required to not just manage their own infrastructure, but also other things. For example, if you are accessing your work email on your cell phone, and it is not managed by them, then that’s a risk. Even something as simple as the router that you use at home can present a risk to your company if you don’t update the firmware in the router when the updates are available. Or if you don’t change the access password that might have initially such as 1234 to a more secure one. You then create vulnerabilities in your home when you’re accessing your employer’s network. There are just multiple complexities that companies have to deal with today. Even though bigger enterprises have a larger staff to handle these issues, still, the complexity has just grown so much that it’s very difficult to manage. And small businesses and medium businesses have an even more challenging time when they don’t have their own staff to deal with these issues.

Q) We’ve heard a lot about ransomware being used against organizations with attackers stealing data and often wiping it clean. Can you elaborate on the scale of these issues and how can companies defend themselves?

MJ: We’ve seen an increase in the number of attacks and the size and sophistication of the attacks. This remote work has basically opened more entry points for attackers. Sometimes these incidents have gone on for an extended period of time before the company becomes aware that someone has infiltrated their systems. We’re seeing people engage in supply chain attacks where they go to a vendor of a company and leverage the fact that they might not be as strongly protected as the main company. But what is fundamental — regardless of the types of attacks — is that companies put in place multi-factor authentication for their business and for everybody in their business. You only allow what is called ‘least privileged access’. What it means is that if you as an employee want access to your employer’s data, each time that’s evaluated individually. You make sure that everyone uses multi-factor authentication, and that you use it in ways that are the most trustworthy. For example, you may have heard about criminals using SIM swapping from people’s cell phones as a way to basically engage in multi-factor authentication on behalf of the target. If you use different types of multi-factor authentication, and there are lots of options, including facial recognition, layering of information, such as your location, and other factors, you could really have an effective way to protect yourself.

Q) So what exactly does it mean when you say multi-factor authentication and why does it have an edge over say the traditional two-factor authentication?

MJ: Two-factor authentication on a phone can protect but it also can be circumvented by SIM swapping. For example, a cybercriminal gets the number changed over to their phone by misleading the help desk at a cell phone company or something like that. But if you have other factors in place, including the location of the computer that’s trying to connect, it can be solved on multi factor authentication. Also, look at any other anomalies in terms of the device itself and how the device presents itself on your system. And sometimes it’s why when you have a new device, you might find it hard at first to access some of the sites you normally access because they don’t trust your device. It’s those layering of security modes that are ultimately impactful and protecting. So Windows Hello that we use where it’s a Facial Recognition thing. If you have that in addition to something else in addition to the phone or to the device, the health of the device, those things can also be used in order to have multiple factors of authentication.

Q) In the context of the Lapsus$ attacks, there were reports that they used inside help to break into some of the networks. So what are the learnings for organizations in such scenarios?

MJ: You’re right, they did get credentials apparently through either vendors or otherwise that they were advertising. That would be a good example of where they might be able to circumvent multi-factor authentication through a cooperating person. Again least privileged access would be what will protect you because you wouldn’t allow everybody to have access to everything. And that way, it would be very hard for them to come in through an insider threat and then move around across your network because the individual who was cooperating with them would not have that access.

Our MFA tool has been thoroughly tested to ensure its effectiveness. Learn more about our solution here


Full Interview at

Press Contact

Tel: 1-888-729-5334