[{"data":1,"prerenderedAt":2248},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/cyber-essentials-april-2026-update":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":1091,"faqItemsCollection":1092,"faqTitle":62,"featured":6,"hashTags":62,"meta":1094,"metaTitle":1095,"ogImage":62,"publishedDate":1096,"relatedBlogPostsCollection":1097,"slug":2220,"stem":2221,"subtitle":62,"summary":2222,"synopsis":2237,"sys":2238,"tagsCollection":2241,"__hash__":2247},"blog/blog/cyber-essentials-april-2026-update.json","Cyber Essentials April 2026 update: Mandatory MFA on ALL cloud services (and how Push can help)",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Dan Green","Dan","Threat Research",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"json":238,"links":941},{"nodeType":239,"data":240,"content":241},"document",{},[242,253,289,298,304,311,394,401,405,413,420,427,434,440,447,450,458,465,473,480,486,505,526,534,540,579,585,594,601,624,630,636,642,645,653,660,666,673,681,688,695,744,750,757,760,768,775,838,841,849,869,876,883,929,935],{"nodeType":243,"data":244,"content":245},"heading-1",{},[246],{"nodeType":247,"value":248,"marks":249,"data":252},"text","Key changes for 2026 — and what they mean in practice",[250],{"type":251},"bold",{},{"nodeType":254,"data":255,"content":256},"paragraph",{},[257,261,272,276,285],{"nodeType":247,"value":258,"marks":259,"data":260},"Backed by the UK’s National Cyber Security Centre (NCSC), Cyber Essentials is a minimum requirement for operating in the UK and working with UK businesses. NCSC and IASME have issued an ",[],{},{"nodeType":262,"data":263,"content":265},"hyperlink",{"uri":264},"https://www.ncsc.gov.uk/files/cyber-essentials-requirements-for-it-infrastructure-v3-3.pdf",[266],{"nodeType":247,"value":267,"marks":268,"data":271},"updated requirements document",[269],{"type":270},"underline",{},{"nodeType":247,"value":273,"marks":274,"data":275}," as well as ",[],{},{"nodeType":262,"data":277,"content":279},{"uri":278},"https://iasme.co.uk/articles/upcoming-changes-to-the-cyber-essentials-scheme-april-2026-update/",[280],{"nodeType":247,"value":281,"marks":282,"data":284},"guidance on the changes",[283],{"type":270},{},{"nodeType":247,"value":286,"marks":287,"data":288}," planned to go-live in April 2026. The key changes relate to the definition of cloud services and the expectations around MFA enforcement, which will significantly expand the breadth of cloud and SaaS services in scope, as well as how compliance is measured.",[],{},{"nodeType":290,"data":291,"content":297},"embedded-entry-block",{"target":292},{"sys":293},{"id":294,"type":295,"linkType":296},"49tk5y1sUXUQzDBhY7I8YM","Link","Entry",[],{"nodeType":290,"data":299,"content":303},{"target":300},{"sys":301},{"id":302,"type":295,"linkType":296},"5kGX19qPB7NQnojHXShBsW",[],{"nodeType":254,"data":305,"content":306},{},[307],{"nodeType":247,"value":308,"marks":309,"data":310},"This means that:",[],{},{"nodeType":312,"data":313,"content":314},"unordered-list",{},[315,326,354,364,384],{"nodeType":316,"data":317,"content":318},"list-item",{},[319],{"nodeType":254,"data":320,"content":321},{},[322],{"nodeType":247,"value":323,"marks":324,"data":325},"Any service accessed via a business email or account is considered in-scope. It doesn’t matter whether this is a “free” tier account on a SaaS service or a fully managed enterprise cloud platform. ",[],{},{"nodeType":316,"data":327,"content":328},{},[329],{"nodeType":254,"data":330,"content":331},{},[332,336,341,345,350],{"nodeType":247,"value":333,"marks":334,"data":335},"If a service offers MFA, it ",[],{},{"nodeType":247,"value":337,"marks":338,"data":340},"must",[339],{"type":251},{},{"nodeType":247,"value":342,"marks":343,"data":344}," be enabled for ",[],{},{"nodeType":247,"value":346,"marks":347,"data":349},"all users",[348],{"type":251},{},{"nodeType":247,"value":351,"marks":352,"data":353},". (Apps that don’t offer MFA are incredibly rare).",[],{},{"nodeType":316,"data":355,"content":356},{},[357],{"nodeType":254,"data":358,"content":359},{},[360],{"nodeType":247,"value":361,"marks":362,"data":363},"If a service offers MFA only as a \"paid add-on\" or part of a higher subscription tier (e.g., \"Enterprise\" vs. \"Basic\"), you are now required to pay for and enable it. ",[],{},{"nodeType":316,"data":365,"content":366},{},[367],{"nodeType":254,"data":368,"content":369},{},[370,374,380],{"nodeType":247,"value":371,"marks":372,"data":373},"If the service doesn't have native MFA but allows you to sign in via a provider that ",[],{},{"nodeType":247,"value":375,"marks":376,"data":379},"does",[377],{"type":378},"italic",{},{"nodeType":247,"value":381,"marks":382,"data":383}," (like \"Sign in with Microsoft\" or Google), you must use only that method.",[],{},{"nodeType":316,"data":385,"content":386},{},[387],{"nodeType":254,"data":388,"content":389},{},[390],{"nodeType":247,"value":391,"marks":392,"data":393},"This means that if \"shadow\" apps and accounts are identified — e.g. they find that your team is using a SaaS tool that doesn't have MFA, and it wasn't listed in your submission — you will be non-compliant.",[],{},{"nodeType":254,"data":395,"content":396},{},[397],{"nodeType":247,"value":398,"marks":399,"data":400},"This has significant ramifications for the attestation process that requires comprehensive visibility of every app, login method, and MFA factor. ",[],{},{"nodeType":402,"data":403,"content":404},"hr",{},[],{"nodeType":243,"data":406,"content":407},{},[408],{"nodeType":247,"value":409,"marks":410,"data":412},"Don’t worry, Push Security has the solution",[411],{"type":251},{},{"nodeType":254,"data":414,"content":415},{},[416],{"nodeType":247,"value":417,"marks":418,"data":419},"Push provides you with visibility of every single cloud app your employees access and how they’re authenticating to them, giving you the controls needed to automatically enforce MFA and strong, unique passwords on all your corporate accounts. ",[],{},{"nodeType":254,"data":421,"content":422},{},[423],{"nodeType":247,"value":424,"marks":425,"data":426},"Push is able to do this by deploying into your employees’ existing browser, from where it observes the actual login process in real-time. This allows Push to capture 100% of cloud app usage, including free-tier apps and those accessed via personal email addresses or local credentials, which centralized SSO logs would miss.",[],{},{"nodeType":254,"data":428,"content":429},{},[430],{"nodeType":247,"value":431,"marks":432,"data":433},"Here’s a short interactive demo that shows you how Push helps you to prepare for Cyber Essentials by capturing all your cloud services and making sure MFA is enabled on all your user accounts.",[],{},{"nodeType":290,"data":435,"content":439},{"target":436},{"sys":437},{"id":438,"type":295,"linkType":296},"2P0DtMURb1EvQJ4e8Ze4IC",[],{"nodeType":254,"data":441,"content":442},{},[443],{"nodeType":247,"value":444,"marks":445,"data":446},"This isn’t all Push does — we also detect and stop browser-native attacks like zero-day phishing, AitM toolkits, ClickFix attacks and account takeover — but more on that later. ",[],{},{"nodeType":402,"data":448,"content":449},{},[],{"nodeType":243,"data":451,"content":452},{},[453],{"nodeType":247,"value":454,"marks":455,"data":457},"But all our apps are managed and accessed via SSO…",[456],{"type":251},{},{"nodeType":254,"data":459,"content":460},{},[461],{"nodeType":247,"value":462,"marks":463,"data":464},"Most organizations work on the assumption that their employees are using SSO to access the suite of business apps they use on a daily basis. Apps go through an onboarding process where they are configured to use the preferred SSO method (e.g. SAML, OIDC) from the preferred identity provider (Okta, Microsoft, Google, etc.). By enforcing secure login requirements on how employees login to their IdP account, you essentially secure the downstream logins to all of the business apps in use. ",[],{},{"nodeType":254,"data":466,"content":467},{},[468],{"nodeType":247,"value":469,"marks":470,"data":472},"The reality is quite different. ",[471],{"type":251},{},{"nodeType":254,"data":474,"content":475},{},[476],{"nodeType":247,"value":477,"marks":478,"data":479},"Apps are routinely self-adopted by users. Most enterprises are using hundreds of apps across their workforce, for a variety of business purposes. ",[],{},{"nodeType":290,"data":481,"content":485},{"target":482},{"sys":483},{"id":484,"type":295,"linkType":296},"6TjtfVoZ2vsWv6iD9IRL2r",[],{"nodeType":254,"data":487,"content":488},{},[489,493,501],{"nodeType":247,"value":490,"marks":491,"data":492},"Apps typically allow multiple, simultaneous login methods to exist. Many apps don’t allow you to restrict this even with admin-level controls (or needing to pay extra for the privilege). A huge number of apps don't even allow you to configure SAML SSO ",[],{},{"nodeType":262,"data":494,"content":496},{"uri":495},"https://sso.tax/",[497],{"nodeType":247,"value":498,"marks":499,"data":500},"without paying extra for the privilege",[],{},{"nodeType":247,"value":502,"marks":503,"data":504}," (if they offer it at all).",[],{},{"nodeType":254,"data":506,"content":507},{},[508,512,517,521],{"nodeType":247,"value":509,"marks":510,"data":511},"This means you can have a local password active at the same time as a secure SSO login option — we call these ",[],{},{"nodeType":247,"value":513,"marks":514,"data":516},"ghost logins",[515],{"type":251},{},{"nodeType":247,"value":518,"marks":519,"data":520},". The worst part is that you can have an SSO login protected by MFA, at the same time as a local password without. This is one of the key reasons why we see that",[],{},{"nodeType":247,"value":522,"marks":523,"data":525}," 2 in 5 accounts are missing MFA. ",[524],{"type":251},{},{"nodeType":254,"data":527,"content":528},{},[529],{"nodeType":247,"value":530,"marks":531,"data":533},"Under the new regulations, this would be an automatic fail if discovered. ",[532],{"type":251},{},{"nodeType":290,"data":535,"content":539},{"target":536},{"sys":537},{"id":538,"type":295,"linkType":296},"4QnFioDFWpwzMR3XxC6GyX",[],{"nodeType":254,"data":541,"content":542},{},[543,547,553,557,562,566,575],{"nodeType":247,"value":544,"marks":545,"data":546},"Even more complexity comes in ",[],{},{"nodeType":247,"value":548,"marks":549,"data":552},"how",[550,551],{"type":378},{"type":251},{},{"nodeType":247,"value":554,"marks":555,"data":556}," MFA can be enforced. ",[],{},{"nodeType":247,"value":558,"marks":559,"data":561},"Some SaaS services only allow MFA to be self-adopted",[560],{"type":251},{},{"nodeType":247,"value":563,"marks":564,"data":565}," rather than centrally enforced by admin controls. This can often be linked to the product tier, with a higher level subscription required for tenant-level security features. Similarly, some apps do not provide admin-level visibility of MFA configuration for individual accounts. ",[],{},{"nodeType":262,"data":567,"content":569},{"uri":568},"https://pushsecurity.com/blog/minimum-viable-identity-security/",[570],{"nodeType":247,"value":571,"marks":572,"data":574},"How each vendor chooses to set up their app is very inconsistent.",[573],{"type":270},{},{"nodeType":247,"value":576,"marks":577,"data":578}," ",[],{},{"nodeType":290,"data":580,"content":584},{"target":581},{"sys":582},{"id":583,"type":295,"linkType":296},"3Dw7AHvU9oYZDBfcZBNEEO",[],{"nodeType":586,"data":587,"content":588},"heading-2",{},[589],{"nodeType":247,"value":590,"marks":591,"data":593},"The ripple effect",[592],{"type":251},{},{"nodeType":254,"data":595,"content":596},{},[597],{"nodeType":247,"value":598,"marks":599,"data":600},"The nature of the changes to the scope means that areas you were previously comfortable attesting to become way more complex. ",[],{},{"nodeType":312,"data":602,"content":603},{},[604,614],{"nodeType":316,"data":605,"content":606},{},[607],{"nodeType":254,"data":608,"content":609},{},[610],{"nodeType":247,"value":611,"marks":612,"data":613},"You have to enforce password policies and account lifecycle management on a long tail of SaaS, not just previously identified “core” apps. ",[],{},{"nodeType":316,"data":615,"content":616},{},[617],{"nodeType":254,"data":618,"content":619},{},[620],{"nodeType":247,"value":621,"marks":622,"data":623},"This applies to external contractors too.",[],{},{"nodeType":290,"data":625,"content":629},{"target":626},{"sys":627},{"id":628,"type":295,"linkType":296},"6qdjxv3WOfQKPomoZWKuyA",[],{"nodeType":290,"data":631,"content":635},{"target":632},{"sys":633},{"id":634,"type":295,"linkType":296},"2aTPDpdbAgO6skBV4RQfqK",[],{"nodeType":290,"data":637,"content":641},{"target":638},{"sys":639},{"id":640,"type":295,"linkType":296},"Zfg0cIez6MOHTvnEpeNa3",[],{"nodeType":402,"data":643,"content":644},{},[],{"nodeType":243,"data":646,"content":647},{},[648],{"nodeType":247,"value":649,"marks":650,"data":652},"Will your assumptions stand up to scrutiny? ",[651],{"type":251},{},{"nodeType":254,"data":654,"content":655},{},[656],{"nodeType":247,"value":657,"marks":658,"data":659},"Previously, the approach to an audit would have been to show that the IdP dashboard is configured to require mandatory MFA, and all business apps are accessed securely via the IdP interface.  ",[],{},{"nodeType":290,"data":661,"content":665},{"target":662},{"sys":663},{"id":664,"type":295,"linkType":296},"3eLWMRE98VZqlAb9g4AKIa",[],{"nodeType":254,"data":667,"content":668},{},[669],{"nodeType":247,"value":670,"marks":671,"data":672},"But this only shows part of the picture. Cyber Essentials auditors typically interview employees and ask them to demonstrate logging into a variety of apps to show the MFA status and overall login process (e.g. are they using a password manager, do passwords meet the requirements, etc.). If the auditor discovers an app you were unaware of, that is accessed without using MFA, you’ve failed. ",[],{},{"nodeType":586,"data":674,"content":675},{},[676],{"nodeType":247,"value":677,"marks":678,"data":680},"This isn’t just a compliance concern — it’s a real security threat",[679],{"type":251},{},{"nodeType":254,"data":682,"content":683},{},[684],{"nodeType":247,"value":685,"marks":686,"data":687},"The reason that compliance is being forced to evolve is that this kind of security gap is being routinely exploited by attackers in the wild. Compromised credentials are available online in their billions, and that’s all an attacker needs to log into an account without MFA. ",[],{},{"nodeType":254,"data":689,"content":690},{},[691],{"nodeType":247,"value":692,"marks":693,"data":694},"The recent criminal campaigns against Snowflake and Jira customers demonstrate this risk. ",[],{},{"nodeType":312,"data":696,"content":697},{},[698,721],{"nodeType":316,"data":699,"content":700},{},[701],{"nodeType":254,"data":702,"content":703},{},[704,708,717],{"nodeType":247,"value":705,"marks":706,"data":707},"The 2024 ",[],{},{"nodeType":262,"data":709,"content":711},{"uri":710},"https://pushsecurity.com/blog/snowflake-retro/",[712],{"nodeType":247,"value":713,"marks":714,"data":716},"Snowflake",[715],{"type":270},{},{"nodeType":247,"value":718,"marks":719,"data":720}," breaches resulted in billions of records being stolen from 165+ Snowflake tenants. Attackers simply logged into accounts without MFA at scale — >80% of the credentials had been leaked online as early as 2020. ",[],{},{"nodeType":316,"data":722,"content":723},{},[724],{"nodeType":254,"data":725,"content":726},{},[727,731,740],{"nodeType":247,"value":728,"marks":729,"data":730},"Criminals went on a ",[],{},{"nodeType":262,"data":732,"content":734},{"uri":733},"https://pushsecurity.com/blog/why-attackers-are-targeting-jira-with-stolen-credentials/",[735],{"nodeType":247,"value":736,"marks":737,"data":739},"Jira",[738],{"type":270},{},{"nodeType":247,"value":741,"marks":742,"data":743}," hacking spree, compromising 10 organizations publicly — including Jaguar Land Rover. The same attackers were then involved in the Scattered Lapsus$ Hunters ransomware operation that went down as the most economically consequential cyber breach to affect a G7 economy. ",[],{},{"nodeType":290,"data":745,"content":749},{"target":746},{"sys":747},{"id":748,"type":295,"linkType":296},"7baNZATRrb7yrLqsJxQo83",[],{"nodeType":254,"data":751,"content":752},{},[753],{"nodeType":247,"value":754,"marks":755,"data":756},"The reality is that this has been happening for years. Regulation is always slow to catch up. It’s important that organizations understand why these changes are being made — to tackle the threat. ",[],{},{"nodeType":402,"data":758,"content":759},{},[],{"nodeType":243,"data":761,"content":762},{},[763],{"nodeType":247,"value":764,"marks":765,"data":767},"Achieving compliance (and more importantly, security) with Push",[766],{"type":251},{},{"nodeType":254,"data":769,"content":770},{},[771],{"nodeType":247,"value":772,"marks":773,"data":774},"Here’s how you can use Push to comply with Cyber Essentials v3.3 onwards, as well as safeguard your business and users from threats.",[],{},{"nodeType":312,"data":776,"content":777},{},[778,793,808,823],{"nodeType":316,"data":779,"content":780},{},[781],{"nodeType":254,"data":782,"content":783},{},[784,789],{"nodeType":247,"value":785,"marks":786,"data":788},"Discover apps and get them behind SSO: ",[787],{"type":251},{},{"nodeType":247,"value":790,"marks":791,"data":792},"Push captures every login from the browser, regardless of whether it’s federated or shadow. It builds a full map of your organization’s true identity footprint, including all accounts, apps, authentication methods, and SSO gaps. This allows you to spot apps that have been self adopted and take action. ",[],{},{"nodeType":316,"data":794,"content":795},{},[796],{"nodeType":254,"data":797,"content":798},{},[799,804],{"nodeType":247,"value":800,"marks":801,"data":803},"Review MFA status and enforce MFA: ",[802],{"type":251},{},{"nodeType":247,"value":805,"marks":806,"data":807},"You can see the MFA status of every app, both at the IdP and local app level, as well as the type of MFA method used to assess security strength. This allows you to find and eliminate “ghost logins” not protected by MFA — by configuring MFA at the app level, or removing the local credential. You can also prompt employees to register an MFA method in real time as they access an app in their browser.",[],{},{"nodeType":316,"data":809,"content":810},{},[811],{"nodeType":254,"data":812,"content":813},{},[814,819],{"nodeType":247,"value":815,"marks":816,"data":818},"Find and fix weak, breached, and reused passwords: ",[817],{"type":251},{},{"nodeType":247,"value":820,"marks":821,"data":822},"Push check the posture of all your employee passwords. The browser agent accomplishes this by creating a salted hash of a user’s observed password and then taking the first 8 characters of that hash to store locally in the browser, checking it against a list of 10,000 common basewords and common permutations); flagging if it is reused across accounts (i.e. not unique) and has appeared in a data breach or compromised credential feed.",[],{},{"nodeType":316,"data":824,"content":825},{},[826],{"nodeType":254,"data":827,"content":828},{},[829,834],{"nodeType":247,"value":830,"marks":831,"data":833},"Easily deploy to contractors and third-parties: ",[832],{"type":251},{},{"nodeType":247,"value":835,"marks":836,"data":837},"Push’s lightweight extension is easy to deploy to any machine, including those you don’t directly manage. Deploying Push into a dedicated contractor browser profile means you can track third-party logins to your apps exactly like you would an internal employee. ",[],{},{"nodeType":402,"data":839,"content":840},{},[],{"nodeType":243,"data":842,"content":843},{},[844],{"nodeType":247,"value":845,"marks":846,"data":848},"Final thoughts",[847],{"type":251},{},{"nodeType":254,"data":850,"content":851},{},[852,856,865],{"nodeType":247,"value":853,"marks":854,"data":855},"Cyber Essentials has taken a meaningful step toward addressing the real threat organizations face in the form of compromised credentials and MFA gaps, but they’re not alone. When missing MFA has led to a cyber breach, it has been met with both ",[],{},{"nodeType":262,"data":857,"content":859},{"uri":858},"https://pushsecurity.com/resources/mfa-regulation-compliance",[860],{"nodeType":247,"value":861,"marks":862,"data":864},"regulatory fines and insurance non-payment",[863],{"type":270},{},{"nodeType":247,"value":866,"marks":867,"data":868},", with NYDFS in particular leading the charge. ",[],{},{"nodeType":254,"data":870,"content":871},{},[872],{"nodeType":247,"value":873,"marks":874,"data":875},"But this isn’t the only threat organizations face. Modern, browser-native attacks are dominating the breach headlines, with attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, ConsentFix, and session hijacking. ",[],{},{"nodeType":254,"data":877,"content":878},{},[879],{"nodeType":247,"value":880,"marks":881,"data":882},"Push tackles all of these attacks using behavioral threat detection controls, powered by deep browser telemetry, to provide broad detection and blocking capabilities against attacks happening in the browser. This means analyzing the end-to-end process of a webpage loading/running in the browser, and how the user interacts with the page, to spot universal indicators of bad activity. ",[],{},{"nodeType":254,"data":884,"content":885},{},[886,890,899,903,912,916,925],{"nodeType":247,"value":887,"marks":888,"data":889},"Want to learn more about Push and how we can help? ",[],{},{"nodeType":262,"data":891,"content":893},{"uri":892},"https://pushsecurity.com/resources/product-brochure",[894],{"nodeType":247,"value":895,"marks":896,"data":898},"Check out our latest product overview",[897],{"type":270},{},{"nodeType":247,"value":900,"marks":901,"data":902},", ",[],{},{"nodeType":262,"data":904,"content":906},{"uri":905},"https://pushsecurity.com/product-demo/",[907],{"nodeType":247,"value":908,"marks":909,"data":911},"visit our demo library",[910],{"type":270},{},{"nodeType":247,"value":913,"marks":914,"data":915},", or ",[],{},{"nodeType":262,"data":917,"content":919},{"uri":918},"https://pushsecurity.com/demo",[920],{"nodeType":247,"value":921,"marks":922,"data":924},"book some time with one of our team for a live demo",[923],{"type":270},{},{"nodeType":247,"value":926,"marks":927,"data":928},".",[],{},{"nodeType":290,"data":930,"content":934},{"target":931},{"sys":932},{"id":933,"type":295,"linkType":296},"2mpx0GOwIviUAdvLGitxua",[],{"nodeType":254,"data":936,"content":937},{},[938],{"nodeType":247,"value":29,"marks":939,"data":940},[],{},{"entries":942},{"hyperlink":943,"inline":944,"block":945},[],[],[946,954,961,967,974,980,1034,1040,1046,1053,1059,1085],{"sys":947,"__typename":948,"title":949,"caption":949,"layoutMode":62,"file":950},{"id":294},"Image","Update to the definition of cloud services (NCSC): i.e. any service that is accessed with a business email or account.",{"url":951,"width":952,"height":953},"https://images.ctfassets.net/y1cdw1ablpvd/fIVcKhF4DdxwjGFPBv8AP/744683ac8a97c90483b98cf2289c8c8a/image8_1.png",1193,247,{"sys":955,"__typename":948,"title":956,"caption":956,"layoutMode":62,"file":957},{"id":302},"Changes to the marking criteria (IASME): i.e. MFA is expected to be enforced for logins to every cloud service.",{"url":958,"width":959,"height":960},"https://images.ctfassets.net/y1cdw1ablpvd/1Kn7L6pvmeNtC5SLOL92Af/4311c559323df3613d7ed2038bf6a50a/image1_6.png",1504,816,{"sys":962,"__typename":963,"title":964,"arcadeDemoUrl":965,"playText":966},{"id":438},"ArcadeDemo","Solving Shadow SaaS & MFA Gaps","https://demo.arcade.software/P3zLqR7AyL98bziCV7b4?embed","1 mins",{"sys":968,"__typename":948,"title":969,"caption":969,"layoutMode":62,"file":970},{"id":484},"There are 100s of apps in use across an enterprise, resulting in 1000s of accounts (we see an average of 15x accounts per employee).",{"url":971,"width":972,"height":973},"https://images.ctfassets.net/y1cdw1ablpvd/7Bsch6QgVymNTG3rAhlDP3/2288395e281255e6826314ed84618a27/image2_3.png",1999,1274,{"sys":975,"__typename":948,"title":976,"caption":976,"layoutMode":62,"file":977},{"id":538},"Ghost logins enable attackers to bypass secure authentication methods. ",{"url":978,"width":972,"height":979},"https://images.ctfassets.net/y1cdw1ablpvd/2disLRprEmiYXBc5B9ekJl/8ce8faba41e94b95672a8275e173e4bf/image6_1.png",1139,{"sys":981,"__typename":982,"content":983,"name":1033,"title":62},{"id":583},"InsightTextBlockComponent",{"json":984},{"nodeType":239,"data":985,"content":986},{},[987],{"nodeType":254,"data":988,"content":989},{},[990,994,999,1003,1008,1012,1017,1021,1029],{"nodeType":247,"value":991,"marks":992,"data":993},"Combining the ",[],{},{"nodeType":247,"value":995,"marks":996,"data":998},"lack of SSO support",[997],{"type":251},{},{"nodeType":247,"value":1000,"marks":1001,"data":1002}," with the ",[],{},{"nodeType":247,"value":1004,"marks":1005,"data":1007},"ease of self adoption",[1006],{"type":251},{},{"nodeType":247,"value":1009,"marks":1010,"data":1011}," and issue of ",[],{},{"nodeType":247,"value":1013,"marks":1014,"data":1016},"concurrent login methods",[1015],{"type":251},{},{"nodeType":247,"value":1018,"marks":1019,"data":1020},", we're in a world where passwords aren't going anywhere fast. And if you think your employees are using only one password at best (to log into their enterprise SSO) ",[],{},{"nodeType":262,"data":1022,"content":1024},{"uri":1023},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/",[1025],{"nodeType":247,"value":1026,"marks":1027,"data":1028},"you're in for a big surprise",[],{},{"nodeType":247,"value":1030,"marks":1031,"data":1032},". ",[],{},"Cyber Essentials Insight Box 3",{"sys":1035,"__typename":948,"title":1036,"caption":1036,"layoutMode":62,"file":1037},{"id":628},"Account management requirements.",{"url":1038,"width":972,"height":1039},"https://images.ctfassets.net/y1cdw1ablpvd/50nkfseFjz2aJQlZLoNCpO/fd883edf749f715ac7d0b52774873f36/image5_5.png",1156,{"sys":1041,"__typename":948,"title":1042,"caption":1042,"layoutMode":62,"file":1043},{"id":634},"Password policy requirements.",{"url":1044,"width":972,"height":1045},"https://images.ctfassets.net/y1cdw1ablpvd/fwBDarwTnB8YJ7VQrFQqa/8b9a6a22f9ac62ff4b4716b155403a3d/image3_8.png",951,{"sys":1047,"__typename":948,"title":1048,"caption":1048,"layoutMode":62,"file":1049},{"id":640},"Third-party requirements.",{"url":1050,"width":1051,"height":1052},"https://images.ctfassets.net/y1cdw1ablpvd/6ulZcdHXvmr15qEeNdFaol/de23532bbb2502a7084dbdbdd9e61e7d/image7_3.png",1234,552,{"sys":1054,"__typename":948,"title":1055,"caption":1055,"layoutMode":62,"file":1056},{"id":664},"Microsoft Entra and Okta SSO dashboard examples.",{"url":1057,"width":972,"height":1058},"https://images.ctfassets.net/y1cdw1ablpvd/3KhjNWelYkdooqHcZsJwgX/51ada3120e9ed0188ef195fbb2819870/image4.png",680,{"sys":1060,"__typename":982,"content":1061,"name":1084,"title":62},{"id":748},{"json":1062},{"nodeType":239,"data":1063,"content":1064},{},[1065],{"nodeType":254,"data":1066,"content":1067},{},[1068,1072,1081],{"nodeType":247,"value":1069,"marks":1070,"data":1071},"You can read more about these Scattered Lapsus$ Hunters attacks and the bigger picture ",[],{},{"nodeType":262,"data":1073,"content":1075},{"uri":1074},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[1076],{"nodeType":247,"value":1077,"marks":1078,"data":1080},"here",[1079],{"type":270},{},{"nodeType":247,"value":926,"marks":1082,"data":1083},[],{},"Cyber Essentials Insight Box 2",{"sys":1086,"__typename":1087,"type":1088,"ctaText":1089,"buttonLabel":173,"buttonColour":1090,"buttonUrl":858},{"id":933},"CtaWidget","Custom","Get our whitepaper to learn how attackers are exploiting MFA gaps and what security teams can do about it","sunny orange","json",{"items":1093},[],{},"Cyber Essentials 2026: Mandatory MFA on ALL cloud services","2026-02-12T00:00:00.000Z",{"items":1098},[1099,1700],{"__typename":1100,"sys":1101,"content":1103,"title":1678,"synopsis":1679,"hashTags":62,"publishedDate":1680,"slug":1681,"tagsCollection":1682,"authorsCollection":1692},"BlogPosts",{"id":1102},"7pU8f4ojNr8rttiSNS2qSU",{"json":1104},{"data":1105,"content":1106,"nodeType":239},{},[1107,1127,1134,1141,1210,1256,1262,1269,1272,1280,1287,1335,1356,1363,1366,1374,1381,1414,1421,1429,1432,1440,1448,1455,1462,1470,1477,1484,1492,1499,1518,1524,1527,1535,1542,1561,1568,1575,1578,1586,1593,1600,1607,1614,1620,1623,1631,1638,1667,1672],{"data":1108,"content":1109,"nodeType":254},{},[1110,1114,1123],{"data":1111,"marks":1112,"value":1113,"nodeType":247},{},[],"The ",{"data":1115,"content":1117,"nodeType":262},{"uri":1116},"https://therecord.media/auto-insurance-companies-fined-ny-state-pre-fill-data-breaches",[1118],{"data":1119,"marks":1120,"value":1122,"nodeType":247},{},[1121],{"type":270},"latest regulatory enforcement",{"data":1124,"marks":1125,"value":1126,"nodeType":247},{},[]," from NYDFS resulted in a total of $14.2m in fines across 8 insurance providers following data breaches that exposed the private information of more than 825,000 people, due to vulnerabilities affecting both its consumer-facing and internal quoting tools. ",{"data":1128,"content":1129,"nodeType":254},{},[1130],{"data":1131,"marks":1132,"value":1133,"nodeType":247},{},[],"Several of the companies did not have multi-factor authentication in place for insurance agents who used the private version of the tool. ",{"data":1135,"content":1136,"nodeType":254},{},[1137],{"data":1138,"marks":1139,"value":1140,"nodeType":247},{},[],"This isn’t the first time that NYDFS has issued fines for missing MFA. NYDFS fined:",{"data":1142,"content":1143,"nodeType":312},{},[1144,1166,1188],{"data":1145,"content":1146,"nodeType":316},{},[1147],{"data":1148,"content":1149,"nodeType":254},{},[1150,1153,1162],{"data":1151,"marks":1152,"value":29,"nodeType":247},{},[],{"data":1154,"content":1156,"nodeType":262},{"uri":1155},"https://therecord.media/new-york-fines-auto-insurers-11-million-leaked-data",[1157],{"data":1158,"marks":1159,"value":1161,"nodeType":247},{},[1160],{"type":270},"Travelers Insurance",{"data":1163,"marks":1164,"value":1165,"nodeType":247},{},[]," $1.55m for failing to enforce MFA on its system used by insurance agents.",{"data":1167,"content":1168,"nodeType":316},{},[1169],{"data":1170,"content":1171,"nodeType":254},{},[1172,1175,1184],{"data":1173,"marks":1174,"value":29,"nodeType":247},{},[],{"data":1176,"content":1178,"nodeType":262},{"uri":1177},"https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202104141",[1179],{"data":1180,"marks":1181,"value":1183,"nodeType":247},{},[1182],{"type":270},"National Securities Corporation",{"data":1185,"marks":1186,"value":1187,"nodeType":247},{},[]," $3m for failing to implement MFA.",{"data":1189,"content":1190,"nodeType":316},{},[1191],{"data":1192,"content":1193,"nodeType":254},{},[1194,1197,1206],{"data":1195,"marks":1196,"value":29,"nodeType":247},{},[],{"data":1198,"content":1200,"nodeType":262},{"uri":1199},"https://www.dfs.ny.gov/system/files/documents/2023/05/ea20230524_co_onemain.pdf",[1201],{"data":1202,"marks":1203,"value":1205,"nodeType":247},{},[1204],{"type":270},"OneMain Financial",{"data":1207,"marks":1208,"value":1209,"nodeType":247},{},[]," $4.2m for working with third-party service providers that did not enforce MFA.",{"data":1211,"content":1212,"nodeType":254},{},[1213,1217,1226,1230,1239,1243,1252],{"data":1214,"marks":1215,"value":1216,"nodeType":247},{},[],"NYDFS is not alone in issuing enforcements for missing MFA. Fines levied under ",{"data":1218,"content":1220,"nodeType":262},{"uri":1219},"https://compliancy-group.com/childrens-hospital-colorado-fined-by-ocr/",[1221],{"data":1222,"marks":1223,"value":1225,"nodeType":247},{},[1224],{"type":270},"HIPAA",{"data":1227,"marks":1228,"value":1229,"nodeType":247},{},[]," and ",{"data":1231,"content":1233,"nodeType":262},{"uri":1232},"https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/03/software-provider-fined-3m-following-2022-ransomware-attack/",[1234],{"data":1235,"marks":1236,"value":1238,"nodeType":247},{},[1237],{"type":270},"GDPR",{"data":1240,"marks":1241,"value":1242,"nodeType":247},{},[]," have also penalised MFA gaps. There are also recent examples of ",{"data":1244,"content":1246,"nodeType":262},{"uri":1245},"https://www.cbc.ca/news/canada/hamilton/cybersecurity-breach-1.7597713",[1247],{"data":1248,"marks":1249,"value":1251,"nodeType":247},{},[1250],{"type":270},"insurance claim denial",{"data":1253,"marks":1254,"value":1255,"nodeType":247},{},[]," due to the lack of MFA. ",{"data":1257,"content":1261,"nodeType":290},{"target":1258},{"sys":1259},{"id":1260,"type":295,"linkType":296},"29fhgKLvjD3OJfJF1ZgC5g",[],{"data":1263,"content":1264,"nodeType":254},{},[1265],{"data":1266,"marks":1267,"value":1268,"nodeType":247},{},[],"This serves as the backdrop for upcoming changes to NYCRR Part 500 that will further tighten the requirements around MFA and asset inventory procedures. ",{"data":1270,"content":1271,"nodeType":402},{},[],{"data":1273,"content":1274,"nodeType":243},{},[1275],{"data":1276,"marks":1277,"value":1279,"nodeType":247},{},[1278],{"type":251},"How NYCRR Part 500 is getting stricter on MFA",{"data":1281,"content":1282,"nodeType":254},{},[1283],{"data":1284,"marks":1285,"value":1286,"nodeType":247},{},[],"As demonstrated by the enforcements relating to MFA gaps, NYCRR Part 500 is already quite strict on its MFA requirements. Section 500.12 mandates MFA for:",{"data":1288,"content":1289,"nodeType":312},{},[1290,1305,1320],{"data":1291,"content":1292,"nodeType":316},{},[1293],{"data":1294,"content":1295,"nodeType":254},{},[1296,1301],{"data":1297,"marks":1298,"value":1300,"nodeType":247},{},[1299],{"type":251},"Remote access to internal systems:",{"data":1302,"marks":1303,"value":1304,"nodeType":247},{},[]," Any user connecting from outside the organization’s network (e.g. over the internet or other external networks) must authenticate with MFA.",{"data":1306,"content":1307,"nodeType":316},{},[1308],{"data":1309,"content":1310,"nodeType":254},{},[1311,1316],{"data":1312,"marks":1313,"value":1315,"nodeType":247},{},[1314],{"type":251},"Remote access to third-party or cloud applications holding non-public information: ",{"data":1317,"marks":1318,"value":1319,"nodeType":247},{},[],"Covered entities must also use MFA for access to external applications (such as cloud services) that contain non-public Information. NYDFS explicitly considers platforms like Office 365, Google Workspace, Salesforce, AWS/Azure cloud resources, fintech or AI platforms, and any other third-party service provider systems that handle the company’s data as part of a firm’s “internal network”.",{"data":1321,"content":1322,"nodeType":316},{},[1323],{"data":1324,"content":1325,"nodeType":254},{},[1326,1331],{"data":1327,"marks":1328,"value":1330,"nodeType":247},{},[1329],{"type":251},"Privileged accounts: ",{"data":1332,"marks":1333,"value":1334,"nodeType":247},{},[],"MFA is required for all privileged accounts (administrative or elevated privilege accounts) to prevent unauthorized use. ",{"data":1336,"content":1337,"nodeType":254},{},[1338,1342,1347,1351],{"data":1339,"marks":1340,"value":1341,"nodeType":247},{},[],"The changes coming into place on November 1st broaden the scope of MFA to ",{"data":1343,"marks":1344,"value":1346,"nodeType":247},{},[1345],{"type":251},"all access",{"data":1348,"marks":1349,"value":1350,"nodeType":247},{},[],": covered entities must require multi-factor authentication for any individual accessing any of the entity’s information systems, regardless of user type, location, or the sensitivity of the system. In other words, ",{"data":1352,"marks":1353,"value":1355,"nodeType":247},{},[1354],{"type":251},"MFA is no longer limited to remote logins or systems containing non-public information – it now applies enterprise-wide, even for internal or on-premises access and for systems that may not hold sensitive data.",{"data":1357,"content":1358,"nodeType":254},{},[1359],{"data":1360,"marks":1361,"value":1362,"nodeType":247},{},[],"The newly introduced requirement for a maintained and periodically reviewed asset inventory of all information systems also directly impacts the scope of MFA enforcement. NYDFS has consistently included outsourced, third-party, and cloud applications services used by an organization within its scope.",{"data":1364,"content":1365,"nodeType":402},{},[],{"data":1367,"content":1368,"nodeType":243},{},[1369],{"data":1370,"marks":1371,"value":1373,"nodeType":247},{},[1372],{"type":251},"What this means for compliance",{"data":1375,"content":1376,"nodeType":254},{},[1377],{"data":1378,"marks":1379,"value":1380,"nodeType":247},{},[],"To be able to maintain compliance with NYCRR Part 500, organizations must:",{"data":1382,"content":1383,"nodeType":312},{},[1384,1394,1404],{"data":1385,"content":1386,"nodeType":316},{},[1387],{"data":1388,"content":1389,"nodeType":254},{},[1390],{"data":1391,"marks":1392,"value":1393,"nodeType":247},{},[],"Inventory all apps and services that are accessed over the internet.",{"data":1395,"content":1396,"nodeType":316},{},[1397],{"data":1398,"content":1399,"nodeType":254},{},[1400],{"data":1401,"marks":1402,"value":1403,"nodeType":247},{},[],"Achieve MFA compliance across all apps. ",{"data":1405,"content":1406,"nodeType":316},{},[1407],{"data":1408,"content":1409,"nodeType":254},{},[1410],{"data":1411,"marks":1412,"value":1413,"nodeType":247},{},[],"Regularly demonstrate an up-to-date app inventory and MFA coverage. ",{"data":1415,"content":1416,"nodeType":254},{},[1417],{"data":1418,"marks":1419,"value":1420,"nodeType":247},{},[],"If this cannot be achieved or a breach occurs that demonstrates inadequate visibility or coverage, precedent indicates that regulatory enforcement will follow. ",{"data":1422,"content":1423,"nodeType":254},{},[1424],{"data":1425,"marks":1426,"value":1428,"nodeType":247},{},[1427],{"type":251},"Unfortunately, this is easier said than done for most organizations. ",{"data":1430,"content":1431,"nodeType":402},{},[],{"data":1433,"content":1434,"nodeType":243},{},[1435],{"data":1436,"marks":1437,"value":1439,"nodeType":247},{},[1438],{"type":251},"Why is this a problem?",{"data":1441,"content":1442,"nodeType":586},{},[1443],{"data":1444,"marks":1445,"value":1447,"nodeType":247},{},[1446],{"type":251},"App sprawl and shadow SaaS",{"data":1449,"content":1450,"nodeType":254},{},[1451],{"data":1452,"marks":1453,"value":1454,"nodeType":247},{},[],"Most organizations now use hundreds of SaaS applications, which translates into thousands of sprawling user identities, login methods, and ways to access company systems and data. True MFA coverage expands beyond your centrally managed, SSO-connected apps or your primary enterprise login to any and every app used by your employees for work.",{"data":1456,"content":1457,"nodeType":254},{},[1458],{"data":1459,"marks":1460,"value":1461,"nodeType":247},{},[],"But with many apps not directly managed by IT or properly onboarded, it’s all too common for shadow apps to sit outside the scope of typical audits — but inside the reach of attackers.",{"data":1463,"content":1464,"nodeType":586},{},[1465],{"data":1466,"marks":1467,"value":1469,"nodeType":247},{},[1468],{"type":251},"Configuration challenges",{"data":1471,"content":1472,"nodeType":254},{},[1473],{"data":1474,"marks":1475,"value":1476,"nodeType":247},{},[],"Even when apps are known about, each app is built differently. Design choices can have a big impact on how authentication and account management is handled. This leads to situations where, for example, apps allow simultaneous login methods, don’t provide admin-level controls to enforce MFA, or allow account config changes on behalf of users in your app tenant.",{"data":1478,"content":1479,"nodeType":254},{},[1480],{"data":1481,"marks":1482,"value":1483,"nodeType":247},{},[],"This isn’t just an app sprawl problem either — even when it comes to core environments the complexities of configuration can lead to coverage gaps. Anyone that’s had to manage group policy in Microsoft, for example, can attest to how convoluted and error-prone this is. ",{"data":1485,"content":1486,"nodeType":586},{},[1487],{"data":1488,"marks":1489,"value":1491,"nodeType":247},{},[1490],{"type":251},"Ghost logins",{"data":1493,"content":1494,"nodeType":254},{},[1495],{"data":1496,"marks":1497,"value":1498,"nodeType":247},{},[],"When an app is first used, particularly if self-adopted, a username and password is typically created. Even when an SSO login is created, it’s usually added on top of password authentication instead of replacing it. And unless specifically disabled or removed, these password-based login methods can continue to be used. ",{"data":1500,"content":1501,"nodeType":254},{},[1502,1506,1514],{"data":1503,"marks":1504,"value":1505,"nodeType":247},{},[],"Because most organizations rely on configuring MFA at their IdP login, local logins without MFA can go unnoticed. These “ghost logins” can lead to unexpected MFA gaps that leave accounts exposed. According to Push data, ",{"data":1507,"content":1508,"nodeType":262},{"uri":1023},[1509],{"data":1510,"marks":1511,"value":1513,"nodeType":247},{},[1512],{"type":270},"2 in 5 accounts are missing MFA",{"data":1515,"marks":1516,"value":1517,"nodeType":247},{},[],", and many also have a password vulnerability (such as appearing in a password breach or compromised credential feed) that means they’re sitting ducks for an attacker, waiting to be exploited.",{"data":1519,"content":1523,"nodeType":290},{"target":1520},{"sys":1521},{"id":1522,"type":295,"linkType":296},"3ZLHFb7DD3Q3f8oH5f3l9X",[],{"data":1525,"content":1526,"nodeType":402},{},[],{"data":1528,"content":1529,"nodeType":243},{},[1530],{"data":1531,"marks":1532,"value":1534,"nodeType":247},{},[1533],{"type":251},"The future of compliance",{"data":1536,"content":1537,"nodeType":254},{},[1538],{"data":1539,"marks":1540,"value":1541,"nodeType":247},{},[],"NYDFS is leading the way in terms of its stance on MFA and understanding of the modern, decentralized, SaaS-centric IT landscape. But they’re not alone, and other regulators will follow suit as breaches continue to dominate the headlines. ",{"data":1543,"content":1544,"nodeType":254},{},[1545,1549,1557],{"data":1546,"marks":1547,"value":1548,"nodeType":247},{},[],"It can take a while for a major breach to translate into regulatory enforcement. ",{"data":1550,"content":1551,"nodeType":262},{"uri":710},[1552],{"data":1553,"marks":1554,"value":1556,"nodeType":247},{},[1555],{"type":270},"2024’s Snowflake breaches",{"data":1558,"marks":1559,"value":1560,"nodeType":247},{},[]," are a great example of this. Attackers exploited widespread MFA gaps to log into customer Snowflake tenants and steal hundreds of millions of customer records. This was made worse by the fact that the credentials used to access these accounts were found in infostealer credential dumps dating back to 2020 — just sitting around waiting for attackers to exploit them. ",{"data":1562,"content":1563,"nodeType":254},{},[1564],{"data":1565,"marks":1566,"value":1567,"nodeType":247},{},[],"In the wake of Snowflake, multiple regulatory bodies have yet to make a judgement. The Spanish data protection authority (AEPD), the U.S. FCC, FTC, and various state data protection authorities all have investigations ongoing, with class action lawsuits also taking place against many of the impacted businesses. ",{"data":1569,"content":1570,"nodeType":254},{},[1571],{"data":1572,"marks":1573,"value":1574,"nodeType":247},{},[],"As we’ve seen with NYDFS’s post-breach enforcement, even if you think you’ve complied by rolling out MFA at the application level, but still have vulnerable accounts, you will be penalised in the event of a breach. This is why a policy or control based view of MFA compliance is no longer sufficient — you need to be able to audit and validate MFA configuration at the account level.",{"data":1576,"content":1577,"nodeType":402},{},[],{"data":1579,"content":1580,"nodeType":243},{},[1581],{"data":1582,"marks":1583,"value":1585,"nodeType":247},{},[1584],{"type":251},"How Push Security can help",{"data":1587,"content":1588,"nodeType":254},{},[1589],{"data":1590,"marks":1591,"value":1592,"nodeType":247},{},[],"Push Security’s browser-based security platform observes logins directly in employee browsers, building a comprehensive picture of user identities and login methods across every app.",{"data":1594,"content":1595,"nodeType":254},{},[1596],{"data":1597,"marks":1598,"value":1599,"nodeType":247},{},[],"Push shows you every app your employees are using (even the unmanaged ones you don’t know about), providing detailed information about how users are logging in, and where vulnerabilities exist. This includes accounts missing MFA, where users are logging in with a username and password over SSO, and where a user’s password has appeared in a compromised credential feed. You can also use Push to deliver in-browser guidance to users to prompt them to remediate insecure logins.",{"data":1601,"content":1602,"nodeType":254},{},[1603],{"data":1604,"marks":1605,"value":1606,"nodeType":247},{},[],"With Push, you can build a full picture of your app estate and MFA posture down to the individual account level, with real-time, continuous monitoring of identities to catch and course-correct any drift that could be exploited by attackers — helping you to achieve and maintain compliance with regulations like NYCRR Part 500.",{"data":1608,"content":1609,"nodeType":254},{},[1610],{"data":1611,"marks":1612,"value":1613,"nodeType":247},{},[],"Check out the video below for more information.",{"data":1615,"content":1619,"nodeType":290},{"target":1616},{"sys":1617},{"id":1618,"type":295,"linkType":296},"1axELRNRyXglrf81FEkDhb",[],{"data":1621,"content":1622,"nodeType":402},{},[],{"data":1624,"content":1625,"nodeType":243},{},[1626],{"data":1627,"marks":1628,"value":1630,"nodeType":247},{},[1629],{"type":251},"Learn more",{"data":1632,"content":1633,"nodeType":254},{},[1634],{"data":1635,"marks":1636,"value":1637,"nodeType":247},{},[],"This isn’t all we do: Push’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong — you can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",{"data":1639,"content":1640,"nodeType":254},{},[1641,1645,1653,1657,1664],{"data":1642,"marks":1643,"value":1644,"nodeType":247},{},[],"To learn more about Push, ",{"data":1646,"content":1647,"nodeType":262},{"uri":892},[1648],{"data":1649,"marks":1650,"value":1652,"nodeType":247},{},[1651],{"type":270},"check out our latest product overview",{"data":1654,"marks":1655,"value":1656,"nodeType":247},{},[]," or ",{"data":1658,"content":1659,"nodeType":262},{"uri":918},[1660],{"data":1661,"marks":1662,"value":921,"nodeType":247},{},[1663],{"type":270},{"data":1665,"marks":1666,"value":926,"nodeType":247},{},[],{"data":1668,"content":1671,"nodeType":290},{"target":1669},{"sys":1670},{"id":1260,"type":295,"linkType":296},[],{"data":1673,"content":1674,"nodeType":254},{},[1675],{"data":1676,"marks":1677,"value":29,"nodeType":247},{},[],"What the expansion of NYCRR Part 500 means for MFA regulation and compliance","NYCRR Part 500 is tightening its MFA and asset management requirements. Here's what the changes means for compliance. ","2025-10-31T00:00:00.000Z","what-the-expansion-of-nydfs-nycrr-part-500-means-for-mfa-compliance",{"items":1683},[1684,1688],{"sys":1685,"name":1687},{"id":1686},"1gZi8NrRy2v9OqPV7C4dwD","Risk management",{"sys":1689,"name":1691},{"id":1690},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"items":1693},[1694],{"fullName":1695,"firstName":1696,"jobTitle":1697,"profilePicture":1698},"Mark Orlando","Mark","Field CTO",{"url":1699},"https://images.ctfassets.net/y1cdw1ablpvd/592PMwIQQFaa24k5SKBEKF/a33090d0ad95d1e3081f5d16a46ba826/image__68_.png",{"__typename":1100,"sys":1701,"content":1703,"title":2204,"synopsis":2205,"hashTags":62,"publishedDate":2206,"slug":2207,"tagsCollection":2208,"authorsCollection":2216},{"id":1702},"3YXrPQptEX3P0Hrd550its",{"json":1704},{"nodeType":239,"data":1705,"content":1706},{},[1707,1714,1733,1740,1743,1751,1758,1765,1889,1896,1902,1905,1913,1920,1927,1934,1941,1949,1956,1963,1966,1974,1981,1988,1995,2001,2008,2036,2047,2053,2056,2064,2072,2079,2112,2117,2123,2128,2131,2139,2146,2165,2171,2178],{"nodeType":254,"data":1708,"content":1709},{},[1710],{"nodeType":247,"value":1711,"marks":1712,"data":1713},"Many security leaders would confidently say they have MFA deployed everywhere. But that confidence often disappears when a breach investigation begins. The reality? MFA coverage is far from complete.",[],{},{"nodeType":254,"data":1715,"content":1716},{},[1717,1721,1729],{"nodeType":247,"value":1718,"marks":1719,"data":1720},"MFA is inconsistently enforced across the modern identity surface. Logins without MFA frequently slip through the cracks, exposing critical access points to business systems and data. And attackers know it — as they demonstrated best in ",[],{},{"nodeType":262,"data":1722,"content":1723},{"uri":710},[1724],{"nodeType":247,"value":1725,"marks":1726,"data":1728},"2024's infamous Snowflake breaches",[1727],{"type":270},{},{"nodeType":247,"value":1730,"marks":1731,"data":1732},". ",[],{},{"nodeType":254,"data":1734,"content":1735},{},[1736],{"nodeType":247,"value":1737,"marks":1738,"data":1739},"Regulators and insurers are catching on, too. Where MFA was once considered best practice, it’s now an expectation; implied in some frameworks, explicitly required in others, and enforced more aggressively than ever before. Whether you’re trying to meet PCI DSS, HIPAA, or GDPR requirements, the question is no longer if you have MFA, it’s where and how it’s enforced — and can you prove it?",[],{},{"nodeType":402,"data":1741,"content":1742},{},[],{"nodeType":243,"data":1744,"content":1745},{},[1746],{"nodeType":247,"value":1747,"marks":1748,"data":1750},"Framework-by-framework breakdown: what they really say about MFA",[1749],{"type":251},{},{"nodeType":254,"data":1752,"content":1753},{},[1754],{"nodeType":247,"value":1755,"marks":1756,"data":1757},"MFA isn’t just a checkbox. It’s a regulatory expectation. While some frameworks spell that out clearly, others imply it in broader language. Either way, the enforcement trend is undeniable: organizations are being held accountable if MFA is missing.",[],{},{"nodeType":254,"data":1759,"content":1760},{},[1761],{"nodeType":247,"value":1762,"marks":1763,"data":1764},"Here’s how key frameworks treat MFA today:",[],{},{"nodeType":312,"data":1766,"content":1767},{},[1768,1778,1800,1822,1869,1879],{"nodeType":316,"data":1769,"content":1770},{},[1771],{"nodeType":254,"data":1772,"content":1773},{},[1774],{"nodeType":247,"value":1775,"marks":1776,"data":1777},"PCI DSS v4.0 requires mandatory MFA for all non-console administrative access and remote access to cardholder environments.",[],{},{"nodeType":316,"data":1779,"content":1780},{},[1781],{"nodeType":254,"data":1782,"content":1783},{},[1784,1788,1796],{"nodeType":247,"value":1785,"marks":1786,"data":1787},"HIPAA doesn’t use the term “MFA” directly, but under the Security Rule, it mandates “reasonable and appropriate safeguards,” and the absence of MFA has led to audit findings and penalties — e.g. a US children’s hospital received a ",[],{},{"nodeType":262,"data":1789,"content":1790},{"uri":1219},[1791],{"nodeType":247,"value":1792,"marks":1793,"data":1795},"$500,000",[1794],{"type":270},{},{"nodeType":247,"value":1797,"marks":1798,"data":1799}," HIPAA fine for insufficient MFA.",[],{},{"nodeType":316,"data":1801,"content":1802},{},[1803],{"nodeType":254,"data":1804,"content":1805},{},[1806,1810,1818],{"nodeType":247,"value":1807,"marks":1808,"data":1809},"GDPR similarly focuses on “appropriate technical measures.” In 2023, the UK’s ICO fined a UK software company ",[],{},{"nodeType":262,"data":1811,"content":1812},{"uri":1232},[1813],{"nodeType":247,"value":1814,"marks":1815,"data":1817},"£3.07 million",[1816],{"type":270},{},{"nodeType":247,"value":1819,"marks":1820,"data":1821}," for a breach involving missing MFA, setting a clear precedent.",[],{},{"nodeType":316,"data":1823,"content":1824},{},[1825],{"nodeType":254,"data":1826,"content":1827},{},[1828,1832,1840,1844,1852,1856,1865],{"nodeType":247,"value":1829,"marks":1830,"data":1831},"NYDFS 500 is clear: MFA is required for all user access to covered systems, not just privileged accounts. MFA gaps resulted in a ",[],{},{"nodeType":262,"data":1833,"content":1834},{"uri":1177},[1835],{"nodeType":247,"value":1836,"marks":1837,"data":1839},"$3 million settlement",[1838],{"type":270},{},{"nodeType":247,"value":1841,"marks":1842,"data":1843}," against a financial services company, a ",[],{},{"nodeType":262,"data":1845,"content":1846},{"uri":1199},[1847],{"nodeType":247,"value":1848,"marks":1849,"data":1851},"$4.2 million",[1850],{"type":270},{},{"nodeType":247,"value":1853,"marks":1854,"data":1855}," dollar fine against a personal loan provider, and a ",[],{},{"nodeType":262,"data":1857,"content":1859},{"uri":1858},"https://www.dfs.ny.gov/reports_and_publications/press_releases/pr20241125",[1860],{"nodeType":247,"value":1861,"marks":1862,"data":1864},"$1.55 million",[1863],{"type":270},{},{"nodeType":247,"value":1866,"marks":1867,"data":1868}," fine against an auto insurer.",[],{},{"nodeType":316,"data":1870,"content":1871},{},[1872],{"nodeType":254,"data":1873,"content":1874},{},[1875],{"nodeType":247,"value":1876,"marks":1877,"data":1878},"NIST SP 800-63-3 and CISA’s EO 14028 elevate the standard further, calling for phishing-resistant MFA for federal systems and contractors.",[],{},{"nodeType":316,"data":1880,"content":1881},{},[1882],{"nodeType":254,"data":1883,"content":1884},{},[1885],{"nodeType":247,"value":1886,"marks":1887,"data":1888},"Frameworks and standards like ISO/IEC 27001, CIS Controls v8, and SOC 2 increasingly expect MFA coverage to be demonstrated during audits and certification processes.",[],{},{"nodeType":254,"data":1890,"content":1891},{},[1892],{"nodeType":247,"value":1893,"marks":1894,"data":1895},"These frameworks vary in tone and scope, but the message is consistent across the board. MFA must be enforced, not just in theory.",[],{},{"nodeType":290,"data":1897,"content":1901},{"target":1898},{"sys":1899},{"id":1900,"type":295,"linkType":296},"7dOxw1w8Ut5WDBDOki20We",[],{"nodeType":402,"data":1903,"content":1904},{},[],{"nodeType":243,"data":1906,"content":1907},{},[1908],{"nodeType":247,"value":1909,"marks":1910,"data":1912},"Insurers are scrutinising MFA gaps too",[1911],{"type":251},{},{"nodeType":254,"data":1914,"content":1915},{},[1916],{"nodeType":247,"value":1917,"marks":1918,"data":1919},"It’s not just regulators getting stricter. Insurers are building in MFA as a minimum condition of insurance coverage. ",[],{},{"nodeType":254,"data":1921,"content":1922},{},[1923],{"nodeType":247,"value":1924,"marks":1925,"data":1926},"Organizations are incentivized to have MFA. Roughly 20-25% of cyber insurance premiums are dictated by the security controls in place: MFA, EDR, regular patching, etc. ",[],{},{"nodeType":254,"data":1928,"content":1929},{},[1930],{"nodeType":247,"value":1931,"marks":1932,"data":1933},"After a breach, insurers bring in incident response teams to analyze what happened. Their job is to determine how the attacker got in and whether the controls you claimed to have were actually in place. If the entry point had no effective MFA and your policy attested that it did, the insurer may treat that as misrepresentation.",[],{},{"nodeType":254,"data":1935,"content":1936},{},[1937],{"nodeType":247,"value":1938,"marks":1939,"data":1940},"If your self-attested MFA coverage doesn’t hold up under investigation, your provider may not be required to pay, and you’re left footing the bill for IR, recovery, legal fees, and business disruption.",[],{},{"nodeType":586,"data":1942,"content":1943},{},[1944],{"nodeType":247,"value":1945,"marks":1946,"data":1948},"Case study: City of Hamilton, Ontario",[1947],{"type":251},{},{"nodeType":254,"data":1950,"content":1951},{},[1952],{"nodeType":247,"value":1953,"marks":1954,"data":1955},"The Canadian city of Hamilton, Ontario fell victim to a ransomware attack in February 2024. Attackers disabled nearly 80% of the city’s network and demanded a ransom of roughly $18.5 million in exchange for a decryption tool to unscramble the data.",[],{},{"nodeType":254,"data":1957,"content":1958},{},[1959],{"nodeType":247,"value":1960,"marks":1961,"data":1962},"They attempted to claim $5 million under their cyber insurance policy. After more than a year of dispute, the claim was denied because of MFA gaps — a condition of the coverage. Taxpayers were left to foot the $18.3 million bill, including cleanup, rebuild, and one-time consultancy fees.",[],{},{"nodeType":402,"data":1964,"content":1965},{},[],{"nodeType":243,"data":1967,"content":1968},{},[1969],{"nodeType":247,"value":1970,"marks":1971,"data":1973},"The future of compliance will be driven by cyber attacks",[1972],{"type":251},{},{"nodeType":254,"data":1975,"content":1976},{},[1977],{"nodeType":247,"value":1978,"marks":1979,"data":1980},"The direction of travel is consistent: frameworks are getting stricter, auditors are getting more technical, and enforcement is starting to hit data processors as well as controllers. ",[],{},{"nodeType":254,"data":1982,"content":1983},{},[1984],{"nodeType":247,"value":1985,"marks":1986,"data":1987},"But there’s more to it than that. In-the-wild breaches are exposing just how much business IT has evolved — and where security controls haven’t kept up. ",[],{},{"nodeType":254,"data":1989,"content":1990},{},[1991],{"nodeType":247,"value":1992,"marks":1993,"data":1994},"With the SaaS-ification of enterprise IT, core business systems aren’t locally deployed and centrally managed in the way they used to be. Instead, they’re logged into over the internet, via a web browser.",[],{},{"nodeType":290,"data":1996,"content":2000},{"target":1997},{"sys":1998},{"id":1999,"type":295,"linkType":296},"4h4hUYAghbZavOwjRTnBe2",[],{"nodeType":254,"data":2002,"content":2003},{},[2004],{"nodeType":247,"value":2005,"marks":2006,"data":2007},"So it’s not surprising that modern attackers are now targeting these apps directly. The most logical way to do this is by targeting users of those apps via identities — the vehicle by which apps are accessed and used. ",[],{},{"nodeType":254,"data":2009,"content":2010},{},[2011,2015,2023,2027,2032],{"nodeType":247,"value":2012,"marks":2013,"data":2014},"Sitting outside the typical security control boundary, it’s no surprise that this has become the soft underbelly in the crosshairs of attackers. Organizations are dealing with a vast and vulnerable attack surface consisting of ",[],{},{"nodeType":262,"data":2016,"content":2017},{"uri":1023},[2018],{"nodeType":247,"value":2019,"marks":2020,"data":2022},"hundreds of applications, with thousands of accounts",[2021],{"type":270},{},{"nodeType":247,"value":2024,"marks":2025,"data":2026}," spread across the app estate. ",[],{},{"nodeType":247,"value":2028,"marks":2029,"data":2031},"2 in 5 of these accounts are missing MFA",[2030],{"type":251},{},{"nodeType":247,"value":2033,"marks":2034,"data":2035},", and many also have a password vulnerability (such as appearing in a password breach or compromised credential feed) that means they’re sitting ducks for an attacker, waiting to be exploited. ",[],{},{"nodeType":2037,"data":2038,"content":2039},"blockquote",{},[2040],{"nodeType":254,"data":2041,"content":2042},{},[2043],{"nodeType":247,"value":2044,"marks":2045,"data":2046},"Due to SaaS blind-spots, 2 in 5 accounts are missing MFA. ",[],{},{"nodeType":290,"data":2048,"content":2052},{"target":2049},{"sys":2050},{"id":2051,"type":295,"linkType":296},"3WFzina1t5j6bDlTlGQA0l",[],{"nodeType":402,"data":2054,"content":2055},{},[],{"nodeType":243,"data":2057,"content":2058},{},[2059],{"nodeType":247,"value":2060,"marks":2061,"data":2063},"What security teams can do about it",[2062],{"type":251},{},{"nodeType":586,"data":2065,"content":2066},{},[2067],{"nodeType":247,"value":2068,"marks":2069,"data":2071},"Achieve complete MFA visibility and remediate gaps with Push Security",[2070],{"type":251},{},{"nodeType":254,"data":2073,"content":2074},{},[2075],{"nodeType":247,"value":2076,"marks":2077,"data":2078},"You can’t enforce identity policy if you can’t see where it breaks. Push gives you live, browser-based insight into how users actually authenticate – what apps they access, how they log in, and where protections like MFA fall short. Because Push runs natively in the browser, you get full coverage and built-in guardrails, without relying on app integrations, enabling you to:",[],{},{"nodeType":312,"data":2080,"content":2081},{},[2082,2092,2102],{"nodeType":316,"data":2083,"content":2084},{},[2085],{"nodeType":254,"data":2086,"content":2087},{},[2088],{"nodeType":247,"value":2089,"marks":2090,"data":2091},"Understand how identities are really used across apps",[],{},{"nodeType":316,"data":2093,"content":2094},{},[2095],{"nodeType":254,"data":2096,"content":2097},{},[2098],{"nodeType":247,"value":2099,"marks":2100,"data":2101},"Catch misconfigurations, missing MFA, and accounts using vulnerable passwords",[],{},{"nodeType":316,"data":2103,"content":2104},{},[2105],{"nodeType":254,"data":2106,"content":2107},{},[2108],{"nodeType":247,"value":2109,"marks":2110,"data":2111},"Guide users to fix issues before they become incidents",[],{},{"nodeType":290,"data":2113,"content":2116},{"target":2114},{"sys":2115},{"id":1618,"type":295,"linkType":296},[],{"nodeType":254,"data":2118,"content":2119},{},[2120],{"nodeType":247,"value":29,"marks":2121,"data":2122},[],{},{"nodeType":290,"data":2124,"content":2127},{"target":2125},{"sys":2126},{"id":933,"type":295,"linkType":296},[],{"nodeType":402,"data":2129,"content":2130},{},[],{"nodeType":586,"data":2132,"content":2133},{},[2134],{"nodeType":247,"value":2135,"marks":2136,"data":2138},"Prepare your organization for the new world of browser-based attacks",[2137],{"type":251},{},{"nodeType":254,"data":2140,"content":2141},{},[2142],{"nodeType":247,"value":2143,"marks":2144,"data":2145},"As attacks continue to evolve, we can expect regulators, insurers, and policy-makers to follow. ",[],{},{"nodeType":254,"data":2147,"content":2148},{},[2149,2152,2161],{"nodeType":247,"value":29,"marks":2150,"data":2151},[],{},{"nodeType":262,"data":2153,"content":2155},{"uri":2154},"https://pushsecurity.com/blog/6-browser-based-attacks-every-security-team-should-be-prepared-for/",[2156],{"nodeType":247,"value":2157,"marks":2158,"data":2160},"Attacks that target users in their web browsers have seen an unprecedented rise in recent years",[2159],{"type":270},{},{"nodeType":247,"value":2162,"marks":2163,"data":2164},", exploiting the biggest security blind-spot in the enterprise security stack. ",[],{},{"nodeType":290,"data":2166,"content":2170},{"target":2167},{"sys":2168},{"id":2169,"type":295,"linkType":296},"4ogNqZdObSIJXavHP44lom",[],{"nodeType":254,"data":2172,"content":2173},{},[2174],{"nodeType":247,"value":2175,"marks":2176,"data":2177},"Push Security’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, password spraying and session hijacking using stolen session tokens. You can also use Push to find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more to harden your identity attack surface.",[],{},{"nodeType":254,"data":2179,"content":2180},{},[2181,2184,2191,2194,2201],{"nodeType":247,"value":1644,"marks":2182,"data":2183},[],{},{"nodeType":262,"data":2185,"content":2186},{"uri":892},[2187],{"nodeType":247,"value":1652,"marks":2188,"data":2190},[2189],{"type":270},{},{"nodeType":247,"value":1656,"marks":2192,"data":2193},[],{},{"nodeType":262,"data":2195,"content":2196},{"uri":918},[2197],{"nodeType":247,"value":921,"marks":2198,"data":2200},[2199],{"type":270},{},{"nodeType":247,"value":926,"marks":2202,"data":2203},[],{},"How cyber breaches are driving tighter MFA requirements and enforcement","MFA regulators, insurers, and policy-makers are getting tighter on their MFA requirements, fuelled by public cyber breaches. ","2025-09-19T00:00:00.000Z","how-cyber-breaches-are-driving-tighter-mfa-requirements-and-enforcement",{"items":2209},[2210,2212],{"sys":2211,"name":1691},{"id":1690},{"sys":2213,"name":2215},{"id":2214},"3pjES4THCIfSAwhGdNwBcy","Browser security",{"items":2217},[2218],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":2219},{"url":236},"cyber-essentials-april-2026-update","blog/cyber-essentials-april-2026-update",{"json":2223},{"data":2224,"content":2225,"nodeType":239},{},[2226],{"data":2227,"content":2228,"nodeType":254},{},[2229,2233],{"data":2230,"marks":2231,"value":2232,"nodeType":247},{},[],"Big changes are being made to the Cyber Essentials scheme in 2026 that will significantly change how companies are required to validate compliance. Here’s what you need to know about the changes ",{"data":2234,"marks":2235,"value":2236,"nodeType":247},{},[],"and how Push Security can help you deal with them. ","Big changes are being made to the Cyber Essentials scheme in 2026 that will change how companies must validate compliance. Here’s what you need to know. ",{"id":2239,"publishedAt":2240},"40T71ukTt8FYSIuFJCYM8H","2026-04-20T13:41:44.438Z",{"items":2242},[2243,2245],{"sys":2244,"name":1687},{"id":1686},{"sys":2246,"name":2215},{"id":2214},"LJYY8zNX1cdEkSil647vPdSs3NBflINM6Wh_AVvWbpY",1784196725826]