Additional Protections: Beyond 2FA for Business Security

As we discussed in my previous article on why 2FA doesn't stop business email compromise, traditional two-factor authentication is necessary but not sufficient. While 2FA blocks many attacks, sophisticated attackers have found ways around it. This article covers the additional protections you should implement to create a robust security posture.

Phishing-Resistant Authentication

The first and most important step beyond traditional 2FA is implementing phishing-resistant authentication methods. These methods can't be phished using fake login pages or social engineering attacks.

Security Keys (FIDO2/WebAuthn)

Security keys are physical devices that use the FIDO2/WebAuthn standard. When you log in, you insert the key (or use NFC/touch if it's wireless) and press a button. The key cryptographically proves your identity without sharing secrets that can be phished.

Popular security keys include:

• YubiKey: The industry standard, available in USB-A, USB-C, and NFC versions
• Google Titan: Google's security key offering
• Feitian: Cost-effective alternative with good compatibility

Benefits:

• Cannot be phished
• Works even if your password is compromised
• Physical device requirement prevents remote attacks
• Supported by Microsoft 365, Google Workspace, and most major platforms

Implementation: Enable security key authentication in your identity provider (Microsoft 365, Google Workspace) and require it for all users, or at minimum for administrative accounts.

Certificate-Based Authentication

Certificate-based authentication uses digital certificates stored on devices or smart cards. Like security keys, they provide strong phishing-resistant authentication. They're particularly useful in enterprise environments where you can manage certificates centrally.

Windows Hello / Face ID / Touch ID

Biometric authentication methods like Windows Hello, Face ID, and Touch ID provide phishing-resistant authentication when used with supported applications. They combine something you have (your device) with something you are (your biometric).

These methods are convenient and secure, but they require compatible devices and applications that support them.

Conditional Access Policies

Conditional access policies allow you to control who can access your resources and under what conditions. This is a powerful tool for preventing unauthorized access even if credentials are compromised.

Location-Based Restrictions

Require that users can only access company resources from approved locations or IP addresses. This prevents attackers from accessing accounts even if they have valid credentials, unless they're also able to spoof or access your approved network.

Implementation example: Block all access from countries where you don't have employees, or require VPN connection for remote access.

Device Compliance

Require that devices meet certain security standards before allowing access:

• Require encryption
• Require up-to-date operating systems
• Require device management (MDM)
• Block rooted/jailbroken devices
• Require security software

Risk-Based Access

Modern identity providers can assess risk based on various signals:

• Unusual login locations
• Unfamiliar devices
• Impossible travel (logging in from two distant locations in short time)
• Sign-in risk (credentials leaked in data breaches)
• User risk (account behavior anomalies)

Configure policies to require additional authentication (like a security key) or block access entirely when risk is detected.

Time and Application Restrictions

Limit access based on time of day or restrict access to specific applications. For example:

• Require security keys for administrative functions regardless of time
• Block access to sensitive applications outside business hours
• Require additional authentication for high-privilege actions

Advanced Email Security

As we've established, email is a primary attack vector. Beyond basic spam filtering, you need advanced protection against business email compromise and sophisticated phishing attacks.

Email Authentication Protocols

Implement and properly configure email authentication protocols:

• SPF (Sender Policy Framework): Defines which servers can send email for your domain
• DKIM (DomainKeys Identified Mail): Cryptographically signs emails to prove they came from your domain
• DMARC (Domain-based Message Authentication): Tells receiving servers what to do with emails that fail SPF or DKIM checks
• BIMI (Brand Indicators for Message Identification): Displays your logo in email clients for verified emails

These protocols help prevent email spoofing and make it harder for attackers to impersonate your domain.

Business Email Compromise (BEC) Protection

Deploy advanced email security solutions that use behavioral analysis to detect compromised accounts and BEC attacks:

• Analyze sending patterns (unusual times, new recipients)
• Detect language and tone changes
• Identify payment requests and account changes
• Flag emails from compromised vendor accounts
• Provide real-time alerts for suspicious activity

Solutions like Ironscales, Proofpoint, and Mimecast offer BEC protection that goes beyond traditional email security.

Email Encryption

For sensitive communications, implement email encryption. This ensures that even if emails are intercepted, they can't be read without the encryption key.

Options include Microsoft 365 Message Encryption, Google Workspace S/MIME, or third-party solutions like Virtru or Zix.

Account Monitoring and Anomaly Detection

Proactive monitoring can detect compromised accounts before significant damage occurs.

Sign-In Monitoring

Monitor for suspicious sign-in activity:

• Logins from unfamiliar locations
• Logins from new devices
• Logins outside normal business hours
• Multiple failed login attempts
• Impossible travel scenarios

Set up alerts for these events and investigate immediately.

Mailbox Monitoring

Monitor for suspicious mailbox activity:

• Mailbox rules being created or modified (especially forwarding rules)
• Mass email deletions
• Unusual email sending patterns
• Permission changes
• Calendar modifications

Privileged Account Monitoring

Pay special attention to administrative and executive accounts. These are high-value targets and should have:

• Enhanced monitoring
• Stricter access controls
• Mandatory security key authentication
• Regular access reviews

Incident Response Planning

Even with all protections in place, incidents can still occur. Having a plan ensures you can respond quickly and minimize damage.

Detection and Alerting

Set up systems to detect and alert on security incidents:

• Automated alerts for suspicious activity
• Security information and event management (SIEM) systems
• Regular security audits
• User reporting mechanisms

Response Procedures

Document procedures for common incident types:

• Account Compromise: Immediately revoke sessions, reset credentials, review mailbox rules, check sent items
• Phishing Email: Remove from inboxes, block sender, update filters, notify users
• Malware Infection: Isolate device, scan for threats, restore from backup if needed
• Data Breach: Contain the breach, assess impact, notify affected parties, comply with regulations

Recovery Procedures

Plan how to recover from incidents:

• Restore from backups if needed
• Revoke compromised credentials
• Remove malicious mailbox rules
• Review and update security controls
• Conduct post-incident review

Employee Training and Awareness

Technology is important, but people are your first line of defense. Regular training helps employees recognize and avoid threats.

Phishing Training

Regular phishing simulations and training help employees:

• Recognize phishing emails
• Understand common attack patterns
• Know how to report suspicious emails
• Stay updated on new threats

Security Awareness

General security awareness covers:

• Password hygiene
• Secure browsing practices
• Social engineering awareness
• Physical security
• Data handling procedures

Backup and Recovery

Regular backups are essential for recovery from ransomware, data loss, or account compromise. Ensure you have:

• Automated daily backups
• Offline or immutable backups (protected from ransomware)
• Tested recovery procedures
• Appropriate retention periods
• Regular backup verification

Third-Party Security Assessments

Regular security assessments by external experts can identify vulnerabilities you might miss:

• Penetration Testing: Simulated attacks to test your defenses
• Security Audits: Review of security controls and configurations
• Vulnerability Scanning: Automated scanning for known vulnerabilities
• Compliance Reviews: Ensure you meet regulatory requirements

Implementation Priority

Implementing all these protections at once can be overwhelming. Here's a recommended priority:

1. Immediate: Enable security keys for all users (especially admins), implement conditional access policies, deploy BEC protection
2. Short-term (1-3 months): Set up monitoring and alerts, implement email authentication protocols, create incident response plan
3. Medium-term (3-6 months): Employee training program, backup verification, security assessments
4. Ongoing: Regular reviews, updates, and improvements

Conclusion

Traditional 2FA is a good start, but it's not enough. Implementing these additional protections creates defense in depth that makes it significantly harder for attackers to compromise your business.

Remember: security is not a one-time project but an ongoing process. Threats evolve, and so must your defenses. Regular reviews, updates, and training ensure your security posture remains strong.

Start with the highest-priority items and gradually implement the rest. Even implementing a few of these protections will significantly improve your security posture.