Small and medium-sized business owners across the globe are still relying only on usernames and passwords to secure critical employee, customer, and partner data, according to the Global Small Business Multi-Factor Authentication (MFA) Study released by the Cyber Readiness Institute (CRI) today. Only 46% of small business owners claim to have implemented MFA methods recommended by leading security experts, with just 13% requiring its use by employees for most account or application access.
Services that enforce MFA require users to present more than one piece of evidence whenever they log in to a business account (e.g., company email, payroll, human resources, etc.). MFA (also known as 2-factor authentication, or “2FA”) is something the user knows (like a 15-character password), something that the user is (like a fingerprint or face scan), or something the user has (their phone or email account where they can receive a one-time code).
MFA has been in use for decades and is widely recommended by cybersecurity experts, yet 55% of small and medium-sized businesses (SMBs) surveyed are not “very aware” of MFA and its security benefits, and 54% do not use it for their business. Of the businesses that have not implemented MFA, 47% noted they either didn’t understand MFA or didn’t see its value. In addition, nearly 60% of small business and medium-sized owners have not discussed MFA with their employees.
“We know nearly all account compromise attacks can be stopped outright, just by using MFA. It’s a proven, effective way to thwart bad actors,” said Karen S. Evans, managing director of CRI. “All of us—governments, non-profits, industry–need to do much more to communicate the value of MFA to small business and medium-sized owners.”
Many companies implementing some form of MFA still seem to have done so haphazardly. Only 39% of those who offer MFA have a process for prioritizing critical hardware, software, and data, with 49% merely “encouraging the use of MFA when it is available.”
“As more small businesses grow their digital presence, it’s critical to secure these new channels and opportunities,” said Ron Green, chief security officer, Mastercard. “No matter the size of the company or the resources available, there are simple steps and best practices every business owner can tap into. Implementing MFA, for example, can go a long way in protecting their business, their employees, and their customers from cyber threats.”
Implementing MFA does not require hardware changes to company computers or mobile devices. Instead, there are numerous free and low-cost software-based tools users can download for use in their company and on personal devices. For example, all major email providers offer (and encourage) MFA use. Therefore, it can be as easy as clicking an option in the email provider’s settings to turn on MFA.
“Using a strong password is important, but complexity alone isn’t enough; adding a second layer of protection with multi-factor authentication is the best way to secure access to personal accounts,” said Meg Anderson, vice president-chief information security officer at Principal Financial Group®. “MFA makes it more difficult for potential cybercriminals to gain access and steal company data – even if they have, or guess, your password.”
“As the nation’s cyber defense agency, we know that raising the cybersecurity baseline is a national security imperative,” said Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA). “The truth is, we need small and medium-sized businesses to be secure in order to protect the whole cybersecurity ecosystem, and that means they need the tools, the knowledge, and the impetus to enforce multi-factor authentication. At CISA, we’re on a mission to encourage organizations of all sizes – and Americans themselves – to use More Than A Password and enable multi-factor authentication. Today’s study points out the work left to be done—but also shows the growing community coming together—to collaborate and ensure small and medium-sized businesses have what they need to keep themselves and their customers safe online.”
There are several easy steps companies can take to implement MFA. First, companies should designate someone in the organization to be responsible for deploying MFA and provide senior leadership with frequent updates on progress and gaps. Next, organizations should update their policies and procedures with specific explanations of expectations for employees using MFA. Next, hold workforce information sessions and training to communicate MFA policies and expectations and explain how easy the process is for employees. Finally, designate someone in the organization who accepts the responsibility for cyber readiness to help employees troubleshoot as they begin using MFA. (CRI has a free guide to help SMBs understand and implement MFA.)
Additional findings from the survey include:
Only 46% of SMBs that offer MFA capabilities provide information to employees on the importance of going beyond usernames and passwords, while 20% do not train employees on the use of MFA.
SMBs using MFA cite funding for tools, implementation resources, and maintenance costs as the top three implementation challenges.
57% of businesses that offer MFA use either push notifications (phone/email) or one-time passwords.
The top three software applications that small businesses protect with MFA are databases (45%), accounting (44%), and human resources (40%).
*About the Survey
The Global Small Business Multi-Factor Authentication (MFA) Study was sponsored by CRI Members, including Apple, Principal Financial Group, Microsoft, and the Center for Global Enterprise.
The global surveys of 1403 small business owners across eight countries (U.S., U.K., New Zealand, Japan, India, Germany, Canada, and Australia) were conducted from May 2 to May 15 and has a margin of error of +/- 3%.