Log-ins requiring only user names and passwords are still commonplace among small- and medium-sized businesses (SMBs) despite clear evidence that requiring multi-factor authentication can better secure customer, employee and partner data, a new study said.
Roughly 46% of small business owners claim to have implemented MFA methods with just 13% requiring its use by employees for most account or application access, according to the Global Small Business Multi-Factor Authentication (MFA) Study from the Cyber Readiness Institute (CRI). In fact, services that enforce MFA require users to present more than one piece of evidence whenever they log in to a business account.
It doesn’t take much to install MFA, CRI said. Four steps will do it:
- Designate someone in the organization to be responsible for deploying MFA and provide senior leadership with frequent updates on progress and gaps.
- Update policies and procedures with specific explanations of expectations for employees using MFA.
- Hold workforce information sessions and training to communicate MFA policies and expectations and explain how easy the process is for employees.
- Designate someone in the organization who accepts the responsibility for cyber readiness to help employees troubleshoot as they begin using MFA.
MFA is Not a New Security Feature
MFA has been in existence in one form or another for years, and is commonly used to log into business accounts. Yet, 55% of the 1,400 SMB owners surveyed globally said they are not “very aware” of MFA and its security benefits, and 54% do not use it for their business.
Of the businesses that have not implemented MFA, 47% said they either didn’t understand MFA or didn’t see its value. In addition, nearly 60% of small- and medium-sized business owners have not discussed MFA with their employees.
“We know nearly all account compromise attacks can be stopped outright, just by using MFA," said Karen Evans, managing director of CRI. "It’s a proven, effective way to thwart bad actors. All of us — governments, non-profits, industry — need to do much more to communicate the value of MFA to small business and medium-sized owners.”
More Findings From the Survey
Here's what else the survey uncovered:
- 46% of SMBs that offer MFA capabilities provide information to employees on the importance of going beyond usernames and passwords, while 20% do not train employees on the use of MFA.
- SMBs using MFA cite funding for tools, implementation resources, and maintenance costs as the top three implementation challenges.
- 57% of businesses that offer MFA use either push notifications (phone/email) or one-time passwords.
- The top three software applications that small businesses protect with MFA are databases (45%), accounting (44%), and human resources (40%).
An important boost for MFA’s use among SMBs has come from the Cybersecurity and Infrastructure Security Agency (CISA). As CISA Director Jen Easterly assesses the matter:
"The truth is, we need small and medium-sized businesses to be secure in order to protect the whole cybersecurity ecosystem, and that means they need the tools, the knowledge, and the impetus to enforce multi-factor authentication."