What private equity firms need to how about Microsoft’s decision and the effect it will have on security
Microsoft announced earlier this year that, effective Oct. 1, 2022, Basic Authentication for Outlook, Exchange Web Services, Remote PowerShell, POP, IMAP, and Exchange ActiveSync protocols will be fully disabled. Additionally, SMTP Authentication will also be deactivated if not utilized in the Microsoft 365 tenant.
Moving away from basic authentication with have a vast impact on the private equity space. As many portfolio companies may be reliant on legacy protocols with unique technical infrastructures, it’s important for private equity companies to know where to focus time, resources, and investments while upgrading to modern authentication.
Companies will see a direct impact as modern authentication will improve a company's security posture to protect their data and assets by limiting potential for data breaches and business email compromise attacks.
While previously a Microsoft standard, basic authentication has been replaced in favor of modern authentication methods. With legacy authentication, any request is an opportunity for a threat actor to perform credential theft. We know that portfolio companies are especially vulnerable to these types of attacks because they often have lower cyber security maturity.
Basic Authentication methods send usernames and passwords in cleartext, utilizing weak or unencrypted transport layer security protocols. Microsoft is forcing organizations to upgrade to Modern Authentication for stronger security—but the transition comes with significant challenges.
It’s fair to wonder how far-ranging and disruptive this deprecation will be.
Utilizing Intellio® Insights platform, we’ve discovered that:
It’s important to note that systems, service accounts, and applications relying on legacy protocols will immediately cease to operate the moment Microsoft flips the switch—even if all exceptions are in place. This includes line of business applications such as email, scanners, printers, and other systems which may be imperative to essential business functions.
Due to the complexity of mitigations and the number of organizations that will be affected, private equity may face the greatest disruption.
Varying and unique technical infrastructures among portfolio companies may require varied solutions, which can quickly add up when considering the size of a portfolio, cybersecurity maturity, and reliance on legacy protocols.
West Monroe has worked in recent months with our industry partners to establish go-forward plans for our private equity and portfolio company clients to improve security postures and reduce organizational disruptions.
This includes:
In the coming weeks, private equity firms and portfolio companies should identify and plan for the disruption that deprecation will have on their business. We recommend taking the following actions to protect your organization: