Small and medium-sized business owners across the globe are still relying only on usernames and passwords to secure critical employee, customer and partner data, according to the Global Small Business Multi-Factor Authentication (MFA) Study released by the Cyber Readiness Institute (CRI). Only 46% of small business owners claim to have implemented MFA methods recommended by leading security experts, with just 13% requiring its use by employees for most account or application access.
Services that enforce MFA require users to present more than one piece of evidence whenever they log in to a business account (e.g., company email, payroll, human resources, etc.). MFA (also known as 2-factor authentication, or “2FA”) is something the user knows (like a 15-character password), something that the user is (like a fingerprint or face scan), or something the user has (their phone or email account where they can receive a one-time code).
MFA has been in use for decades and is widely recommended by cybersecurity experts, yet 55% of small and medium-sized businesses (SMBs) surveyed are not “very aware” of MFA and its security benefits, and 54% do not use it for their business. Of the businesses that have not implemented MFA, 47% noted they either didn’t understand MFA or didn’t see its value. In addition, nearly 60% small business and medium-sized owners have not discussed MFA with their employees.
Many companies implementing some form of MFA still seem to have done so haphazardly. Only 39% of those who offer MFA have a process for prioritizing critical hardware, software, and data, with 49% merely “encouraging the use of MFA when it is available.”
Implementing MFA does not require hardware changes to company computers or mobile devices. Instead, there are numerous free and low-cost software-based tools users can download for use in their company and on personal devices. For example, all major email providers offer (and encourage) MFA use. Therefore, it can be as easy as clicking an option in the email provider’s settings to turn on MFA.
There are several easy steps companies can take to implement MFA. First, companies should designate someone in the organization to be responsible for deploying MFA, and to provide senior leadership with frequent updates on progress and gaps. Next, organizations should update their policies and procedures with specific explanations of expectations for employees using MFA. Next, hold workforce information sessions and training to communicate MFA policies and expectations and explain how easy the process is for employees. Finally, designate someone in the organization who accepts the responsibility for cyber readiness to help employees troubleshoot as they begin using MFA. (CRI has a free guide to help SMBs understand and implement MFA.)
Additional findings include:
Only 46% of SMBs that offer MFA capabilities provide information to employees on the importance of going beyond usernames and passwords, while 20% do not train employees on the use of MFA.
SMBs using MFA cite funding for tools, implementation resources, and maintenance costs as the top three implementation challenges.
57% of businesses that offer MFA use either push notifications (phone/email) or one-time passwords.
The top three software applications that small businesses protect with MFA are databases (45%), accounting (44%), and human resources (40%).