Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • Less than 10% of active Gmail users have enabled two-factor authentication, according to Google engineers.
  • Compromised passwords are the top way hackers gain access to accounts, and all users–especially those in the enterprise–should implement two-factor authentication immediately.

Despite the myriad of high-profile cyberattacks and the growing sophistication of threats, end users are still failing to take every precaution: Less than 10% of active Google Gmail users have enabled two-factor authentication on their accounts, Google engineer Grzegorz Milka said in a presentation at the Usenix Enigma 2018 security conference in Santa Clara, CA.

Further, only 12% of Americans use a password manager to protect their accounts, Milka said, citing a 2016 Pew study.

Two-factor authentication is one of the most effective ways you can protect your online accounts, as noted by our sister site ZDNet. This is especially true given that compromised passwords are the no. 1 way attackers gain access to accounts, Google previously stated. In the enterprise, if a hacker can break into the email of even one employee, it gives them not only access to company data, but also ammunition for future phishing attacks–making it even more important for organizations to ensure all employees have enabled two-factor authentication and gone through cybersecurity training.

SEE: Password Policy (Tech Pro Research)

The feature, which Google calls 2-step verification, requires using a second step–often a single-use key or password–along with the account password to verify a user’s identity and allow them into their account. With Google, the second step can come in the form of a text message, a phone popup, through a Google Authenticator app, or from a number of printed single-use codes. It only adds a few seconds to your login time, but could save you from a number of problems later.

Google first rolled out its two-factor authentication feature back in 2011, yet users have failed to adopt the safety measure in large numbers.

At the conference, UK tech website The Register asked Milka why Google did not make two-factor authentication mandatory for all users. “The answer is usability,” Milka told the publication. “It’s about how many people would we drive out if we force them to use additional security.”

Google has made a number of other efforts to improve security for its users. In January 2017, the company announced new layers of enterprise-grade security controls for G Suite to give users more control and visibility over sensitive information. And in October 2017, it rolled out the Advanced Protection Program, which offers better defenses against phishing, accidental data sharing, and fraudulent account access for executives and professionals in fields where confidential information is shared online.

Since employees are the no. 1 cause of security breaches for companies, it’s key to have strong security measures including two-factor authentication in place across all departments and programs.

For step-by-step instructions on how to set up two-factor authentication on your Google accounts, click here.