SMEs lagging on multifactor authentication

Worldwide, just 46% of small and medium-sized enterprises (SMEs) have implemented recommended multifactor authentication (MFA) technology, and only 13% mandate its use for employee account or application use, with more than half continuing to rely only on usernames and passwords to protect their critical data, according to a report produced by US-based non-profit the Cyber Readiness Institute (CRI).

MFA – also known as two-factor authentication (2FA) – is an identity and access management (IAM) tool that requires a user to present more than one piece of evidence that they are who they claim to be when they log on. Common methods of verification include sending a one-time code to a separate device, or biometric scanning.

However, despite MFA having been around for some time, well recommended by security experts and widely adopted in the enterprise world, according to the CRI, it is clear the industry has failed to get the message across to SMEs. Some 55% of SMEs said they were not very aware of MFA, 47% said they didn’t understand it or see its value, and 60% had never even discussed it with their employees.

“We know nearly all account compromise attacks can be stopped outright, just by using MFA,” said CRI managing director Karen Evans. “It’s a proven, effective way to thwart bad actors. All of us – governments, non-profits, industry – need to do much more to communicate the value of MFA to small business and medium-sized owners.”

Also, where MFA was being used in SME settings, CRI’s study found its implementation tending towards the haphazard. Only 39% of those who used it had a process for prioritising its use on critical systems, with 49% saying they merely encouraged its use if available, and there were also clear gaps around employee training. Those that used MFA tended to cite funding for tools, implementation resources and maintenance costs as their biggest implementation challenges.

Jen Easterly, director of the US’s Cybersecurity and Infrastructure Security Agency (CISA), added: “The truth is, we need small and medium-sized businesses to be secure in order to protect the whole cyber security ecosystem, and that means they need the tools, the knowledge and the impetus to enforce MFA.

“We’re on a mission to encourage organisations of all sizes to use More Than A Password and enable MFA. Today’s study points out the work left to be done – but also shows the growing community coming together – to collaborate and ensure SMEs have what they need to keep themselves and their customers safe online.”

CRI pointed out that implementing MFA generally does not require organisations to make costly hardware changes to their device estate, with SMEs able to avail themselves of numerous low-cost (or even free) software tools available for users to download. All major email providers, for example, offer MFA as an option, with activation little more than a matter of clicking through to an option in account settings.

If looking to adopt a more formalised approach – which is strongly recommended – there are several easy steps SMEs can take:

• Designate someone in the organisation to be in charge of deploying MFA and to provide leadership with updates on progress.
• Update policies and procedures with explanations of what is expected from employees using MFA.
• Hold training session to communicate policies and expectations for employees, leaning into how simple the process of using MFA can be.
• Designate someone within the organisation to help troubleshoot for employees.