Multifactor authentication (MFA) is a critical element of any approach to achieving zero-trust IT security. Yet, a global survey of 1,403 small business owners conducted by the Cyber Readiness Institute (CRI) finds that more than half still rely only on usernames and passwords to secure employee, customer, and partner data.
Limited awareness leads to slow MFA adoption rates
According to the survey, only 46 percent claim to have implemented MFA, with just 13 percent requiring its use by employees to access most accounts or applications.
MFA adoption rates after more than a decade are now starting to increase more widely, but 55 percent of survey respondents noted they are not very aware of MFA and its security benefits. Among those that have not adopted MFA, 47 percent noted they either didn’t understand MFA or didn’t see its value. In addition, nearly 60 percent of respondents have not discussed MFA with their employees.
Even when organizations do make use of MFA, usage is often light. The survey finds nearly half (49 percent) merely encourage the use of MFA when it is available, with only 46 percent that offer MFA capabilities providing information to employees on the importance of going beyond usernames and passwords. A total of 20 precent don’t train employees on the use of MFA at all.
Among the businesses that do use MFA, 57 percent are using either push notifications (phone/email) or one-time passwords. The top three software applications that MFA is used to access are databases (45 percent), accounting (44 percent), and human resources (40 percent). However, only 39 perccent of those that offer MFA have a process for prioritizing critical hardware, software, and data.
Providing MFA as a managed service alleviates common objections
Managed service providers (MSPs), of course, have a vested interest in promoting wider adoption of MFA. Each time a username and password are compromised it creates the potential for all kinds of cybersecurity havoc to be wrought at the expense of the MSP. Not only does the password need to be changed that account might also be used to distribute malware that might not be activated for months anywhere across an extended network.
The issues that MSPs will encounter when trying to encourage small businesses to adopt MFA include funding for tools, implementation resources, and maintenance costs, according to the survey. The best way to get around those issues is to embed MFA within the managed service itself versus making it something that needs to be funded separately. There is naturally a cost to enabling MFA but making it a separate billable item only serves to draw attention that is arguably unwarranted. Most small businesses are not going to object to using MFA to access applications so long as the process is managed for them.
Fortunately, awareness of the role MFA plays in enabling organizations to attain zero-trust IT security is rising. The ability of a small business to implement MFA without the aid of an MSP is going to be limited. Unless they were recently a victim of a ransomware attack, replacing usernames and passwords is just not necessarily one of the top ten things small business owners are currently focused on. As such, the only way to make MFA pervasively employed by small businesses is to start with the MSPs that most of them already rely on to manage IT on their behalf.
Photo: tsingha25 / Shutterstock