Multi-factor authentication is a key security method designed to prevent account takeovers and related threats. By requiring that second form of authentication, MFA attempts to thwart cybercriminals who try to use compromised credentials to access important services, data and other assets. But the use of MFA is still relatively low among organizations, and that’s especially true for small and mid-sized businesses. A report released Tuesday by the Cyber Readiness Institute looks at the slow state of MFA adoption among SMBs.
CRI surveyed 1,403 small business owners across the U.S., the U.K., New Zealand, Japan, India, Germany, Canada and Australia from May 2 to May 15. Almost half of the organizations had anywhere from one to nine employees, while 45% reported annual revenues of less than $250,000.
Among the respondents, 55% admitted that they’re not very aware of MFA and its security benefits, while 54% said they haven’t adopted MFA for their business. Among those who haven’t implemented MFA, 30% said they don’t understand it, 17% said they don’t see any value in it, 15% said it’s too confusing or complicated to set up and 9% said it’s too time consuming and inconvenient to use.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
“Lack of security knowledge or awareness is a common concern for SMBs,” said Matthew Warner, CTO and co-founder at threat detection firm Blumira. “While a larger enterprise will often have a staff of cybersecurity experts, SMBs are usually doing more with less. For example, an IT director or systems administrator may handle cybersecurity as well as a variety of other IT maintenance tasks.”
Only 28% of the SMB owners require MFA on their software, hardware and network devices. Some 30% said that they have general cybersecurity policies, but those policies don’t mention MFA, 27% said that their policies mention MFA but don’t require it and 15% revealed that they have no security policies at all.
Among organizations that do offer MFA to their employees, almost half said that they encourage its use when it’s available, while 39% have a process to use MFA for accessing critical hardware, software and data. Looking at the types of applications and accounts that require MFA, databases were at the top of the list among 45% of those surveyed, followed by accounting software and HR software. Other services requiring MFA included social media accounts, email and calendar programs, productivity software and remote access.
Different methods of MFA are available, but some are more convenient or easier to implement than others. Asked which methods they’ve adopted, 29% said they use push notifications to a phone or alternate email address, 28% use a one-time passcode, 15% use a token-based device and 12% use time-limited and auto-generated codes. Only 7% turn to biometrics such as facial or fingerprint scanning, while 7% use authenticator apps.
Despite its efficacy, MFA can be challenging to implement and deploy. Of the obstacles involved in MFA adoption, obtaining the necessary funding was the top one cited by SMB owners, followed by getting the right resources, choosing the right tools, maintaining the resources, having the technical expertise required to support it and resistance from employees.
SEE: Mobile device security policy (TechRepublic Premium)
Though challenges do exist, Warner says MFA is a “relatively low-effort step” for SMBs and one that can achieve huge security benefits. In many cases, organizations that already use Microsoft 365 or Google Workplace can set up MFA for free, making it an affordable option.
“MFA should be used to make authenticating more efficient, reducing the need for users to type in their passwords or even the need to create new passwords,” said Joseph Carson, chief security scientist at security firm Delinea. “A strong privileged access management solution can help reduce risk by adding additional security controls to sensitive privileged accounts along with MFA and continuous verification. Combining MFA with PAM also further improves security by moving security controls to being risk based and adaptive to the business.”