How can I convince my Managing Director that we need to implement MFA?
Over the last couple of years MFA or 2FA has steadily become part of our daily lives, with more and more of the online sites we use or buy from offering or requiring two-factor authentication. In 2021 Google mandating two-factor authentication for access to Google accounts, is just one example. As consumers, our banks and credit card companies also require two-factor authentication to secure online transactions or for us to log on to their systems.
Security awareness has grown. So, you would think that MFA has also been implemented in our business lives as well. But, in writing this annual round up, and looking back at some of the statistics from 2022, it was surprising to see that many companies have yet to implement MFA for access to their business systems.
Over 50% of SMBs around the world have not yet implemented MFA
In a report released by the Cyber Readiness Institute (CRI) in July 2022 they found that 55% of the business owners they interviewed were not very aware of MFA and its security benefits. 54% said they haven’t adopted a multi-factor authentication solution for their business and 30% said that they don’t understand MFA. And, if you dig a little deeper, and look at industries worldwide that have implemented multi-factor authentication solutions for their employees, it is also apparent that some businesses handling sensitive information, such as legal and insurance, have been slow to adopt MFA (20% of Legal and Insurance, versus 32% in Banking/Financial).
Multi-factor authentication solutions are essential for all businesses
With more and more attempts to gain access to employee credentials by cyber criminals and the ease in which they can purchase credentials online, the security threat from cyber criminals is not going away.
The number and cost of cyber-attacks is increasing (even for smaller organisations) – the latest UK Government Cyber Security Breaches Survey 2022 reports that of those organisations reporting cyber-attacks, 31% of businesses and 26% of charities estimate that they were attacked at least once a week, and 1 in 5 have experienced a negative outcome as a direct consequence. Multi-factor authentication solutions are a must have for ensuring that businesses are fully protected, and MFA is a recommendation from key government organisations who advise on how to thwart potential cyber threats.
In January 2022, the UK National Cyber Security Centre (NCSC ) updated their Cyber Essentials certification requirements to include Multi-Factor Authentication, so if this certification is important for your business and for demonstrating your commitment to security, then MFA is a must. In the USA in May 2022, President Biden signed an executive order for federal agencies to implement MFA and advised businesses across the US to do likewise.
MFA is also a requirement for many cyber insurance policies
Cyber insurance is available to protect businesses from risks relating to data breaches, extortion via ransomware and other cyber-attacks which would normally be excluded from typical commercial insurance policies. But, there is also increasing pressure from insurance companies for companies to implement MFA to qualify for cyber insurance.
So, if the previous paragraphs have still not convinced you that you should be making sure you have a multi-factor authentication solution implemented across your business, then you might find it is a requirement when you sign up for cyber insurance.
“Cyber insurance will not instantly solve all of your cyber security issues, and it will not prevent a cyber breach/attack” (UK NCSC).
While insurance won’t stop an attack, cyber insurance policies typically do offer financial support in the case of data breaches, extortion via ransomware, malicious hacking and denial of service attacks, which are outside the realm of normal business insurance policies. In such instances they can help the business recover some of the costs for investigating a cybercrime, reputation management and recovery of lost data after a security breach, for example. They also cover third-party damages and the settlements of legal costs which may be involved in defending any claims resulting from a breach of data privacy regulations such as GDPR.
Policies require specific MFA controls to be put in place for complete all round security, with MFA for remote networks, cloud access and remote email access (particularly important with the growing number of remote workers) and MFA for administrator access, to ensure that you cover all access.
Hints and tips on improving password security and implementing multi-factor authentication solutions
We’ve looked at some key reasons why you should be implementing a multi-factor authentication solution. Here are a few steps you can take to improve your business’s security.
1. Stronger Passwords – One of the key reasons MFA is needed is the ease with which cyber criminals can now obtain stolen credentials. Credentials are gained via phishing and cybercriminals are now able to readily purchase these leaked credentials on the darknet. Because people have a habit of using the same password across multiple applications (both in their personal and working lives) once a password is known, it can easily be re-used to hack into other applications.
of data breaches have been the result of weak or stolen passwords
Source: Verizon Data Breach Investigations Report
Of course, one step is to get your employees to make their passwords stronger by:
- Adding numbers and special characters to easy to remember passwords that are difficult for others to guess.
- Avoiding the obvious, such as names, numbers and phrases.
- Making sure you use a different password for each account, or
- Using password generation to create long and complex passwords.
Fortinet have some useful tips here>
However, it is far safer and easier for your users to use multi-factor authentication (even just two-factor authentication can provide additional protection). Implementing a multi-factor authentication solution doesn’t mean you should stop encouraging them to use strong passwords, it is good practice, and should be a part of your cyber security awareness training for employees.
Read 6 steps to Cyber Security Awareness across your business >
2. MFA for Microsoft Office 365 – It’s free, so why not implement it? So, you’ve decided that you need a multi-factor authentication solution for your business. One immediate step smaller businesses can take, especially if they are using Microsoft Office 365, is to enable the Two-Factor Authenticator. We’ve put together a short instructional video to teach Office 365 admins how to enable this added security feature, along with a simple video for users to follow.
3. MFA challenges you might encounter – You’ve decided to implement MFA. What next? Implementing a multi-factor authentication solution doesn’t come without a few challenges, whether those are reluctance to change by employees or the large number of devices that businesses and employees now have. There are some best practices in how to address some of the challenges you may come across in deploying MFA and how to resolve them. In this article, we cover:
- How to deploy in stages
- Anticipating resistance to change
- MFA for personal and company devices, and the distributed workforce
- Making authentication easy for employees
Read the blog to find out more>
4. Implementing multi-factor authentication solutions – Best Practices. What you need is a step-by-step outline of how to approach your implementation. MFA solutions don’t need to be expensive to cover all your business needs and although there can be challenges, using a step-by-step approach can make MFA easier to implement. In this blog, one of our vendor partners, SecurEnvoy, gives three steps to implementation, starting with identifying groups of users who have different applications to access, different needs and security levels, then, how to map out their authentication needs and finally implement the MFA solution.
Read the blog to find out more>
5. My environment is complicated. How can I implement MFA for on-premise and cloud applications? Ensuring that you have a multi-factor authentication solution that can adapt to the needs of your business and changing requirements is a must if you are making the move from on-premise to cloud or have a mix of on-premise and cloud applications. For example, if you have a complex environment, that encompasses applications that need to be on-premise or in a private cloud for security reasons, and other applications that don’t need the same level of security, how do you manage MFA?
In this blog, SecurEnvoy look at the things you should consider if you are a security-conscious organisation and need to implement MFA on-premise and future-proof MFA for any moves to the cloud.
How can I ensure that all employees are covered with all the devices that they use wherever they are working? For example, if you have already implemented out-of-the-box solutions such as Microsoft Office 365 MFA, it might not cover all employees in different situations (for example if they lose their mobile phone signal or if they need to a bespoke application and they are offline). What can I do to ensure that MFA is implemented wherever my employees are?
This is where Accelerate Technologies can help to find the best possible solution for your particular business environment and end-user needs, and ensure that your MFA solution is cost-effective and future-proofed for all business eventualities.Contact us to find out how we can help
Have a question? Ask our technical specialists