When it comes to protecting small businesses from cyberattacks, there is a constant balance between managing risk and applying limited resources between security, operational budgets, and convenience. Small businesses face critical resource decisions every day. Can my business afford to deploy optimal, strong cybersecurity solutions? And will my cybersecurity policies be a burden for my employees, trading partners, and customers?
Small business owners face significant challenges, and their most important daily responsibility is ensuring their businesses grow and thrive. As an industry, we have not done enough to connect the benefits of strong cybersecurity practices and policies to business expansion, resiliency, and long-term survival.
There is no area of cybersecurity more indicative of the challenges we face in threading the needle between security and business-friendly policies than usernames and passwords. We still overwhelmingly rely on an insecure means of account and network access that has proven inefficient and insecure for more than 30 years.
Multi-factor authentication (MFA)
We know there are more secure methods that can be deployed. Multi-factor authentication (MFA) bolsters security by requiring users to present more than one piece of evidence (credential) whenever the user logs in to a business account (ex. company email, payroll, human resources, etc.). MFA usually falls into three categories: something the user knows (a 15-character password), something the user has (fingerprint), or something the user receives (a code sent to the user’s phone or email account).
MFA works, but companies remain extremely reticent to deploy. The Global Small Business Multi-Factor Authentication (MFA) Study released by the Cyber Readiness Institute (CRI) found that only 46% of small business owners claim to have implemented MFA methods recommended by leading security experts, with just 13% requiring its use by employees for most account or application access.
Most companies implementing some form of MFA have not made it a requirement for all.
Only 39% of those who offer MFA have a process for prioritizing critical hardware, software, and data, with 49% merely “encouraging the use of MFA when it is available.”
According to Microsoft, 99.9% of account compromise attacks can be blocked simply using MFA. Yet, 47% of small business owners surveyed said they either didn’t understand MFA or didn’t see its value. In addition, nearly 60% have not discussed MFA with their employees.
Implementation of MFAs
Implementing MFA does not require hardware changes to company computers, mobile devices, or printers. Instead, there are numerous free and low-cost software-based tools users can download to their company and personal devices. For example, email providers usually offer (and encourage) MFA. Therefore, it can be as easy as clicking an option in email settings to turn on MFA.
There are several easy steps companies can take to implement MFA. First, organizations should update their policies and procedures with specific expectations. For example, all employees should implement MFA on their company email accounts. Next, hold workforce information sessions to communicate MFA policies and expectations. Employees need to know that it is easy to activate MFA on their accounts. Finally, designate someone in the organization who accepts the responsibility for cyber readiness to help employees troubleshoot as they begin using MFA.
At CRI, we fully believe strong cybersecurity is a business imperative, not an operational challenge. This requires a change in mindset from small business leaders, new questions must be asked, and behaviors need to change:
- Can my business afford to suffer a cyberattack?
- Will a cyberattack irreparably damage my brand?
- Will a cyberattack burden my employees, customers, and trading partners?
Honestly answering these questions will change the importance of cybersecurity in a small business’s growth strategy.