Why MFA Is the Key to Securing Small Businesses

by Jake Wengroff

Passwords alone simply don’t cut it anymore. Mobile banking apps, social media platforms and work-related productivity tools are increasingly asking users to supply more than simply a username and password. Nowadays, a temporary passcode, fingerprint or other modality is required for entry.

As a way to protect employees and customers from a breach, two-factor authentication (2FA) and multifactor authentication (MFA) are becoming more and more widely used as a way to secure devices, apps, data and networks.

According to Microsoft, MFA blocks 99.9 percent of automated cyberattack attempts on Microsoft platforms, websites and other online services.

However, the crucial benefits of multi-factor authentication might not be that widespread among all businesses. A recent report by the Cyber Readiness Institute (CRI) has uncovered a surprisingly slow rate of MFA adoption among small- and medium-sized businesses (SMBs). The CRI surveyed 1,403 small business owners across the U.S., the U.K., New Zealand, Japan, India, Germany, Canada and Australia from May 2 to May 15, 2022. Almost half of the organizations had anywhere from one to nine employees, while 45% reported annual revenues of less than $250,000.

Among the respondents, 55% admitted that they were not very aware of MFA and its security benefits, while 54% said they have not adopted MFA for their business. Among those who haven’t implemented MFA, 30% said they don’t understand it, 17% do not see the value, and 9% feel that MFA is too time-consuming and inconvenient.

Small Businesses Are More Vulnerable Than Ever

However, the notion that MFAs are labor-intensive and cumbersome is misguided. While implementing stronger security will require additional expense in the form of security software licenses and needing to train employees and communicate the benefits of authentication, it’s imperative that SMBs understand the benefits of multi-factor authentication now more than ever — and those who ignore it do so at their peril.

While only 14% of small businesses say they have been hacked, according to the results of the Q3 2021 CNBC|Momentive Small Business Survey, this figure is still high, and the damage can be far-reaching and disruptive. About 60% of small companies go out of business within six months of falling victim to a data breach or cyberattack, cites Cybercrime Magazine. The reason for this is because of a loss of customers or reputation or due to the legal or operational costs related to the cleaning or repairing of the damage caused by the breach. While larger organizations have the resources to bounce back, many SMBs do not.

Further, cybercriminals are more likely to target smaller sized businesses: They know that such firms most likely do not have the policies or software in place to systematically protect against a breach at scale. Part-time or contract employees might be working at remote locations or on site (e.g., delivery drivers, home-health aides) and most likely are unaware of the security setting on their devices. Such an environment in smaller business settings makes a breach or compromise more likely.

Review of MFA Factor Types

Before implementing MFA, it’s important for business owners to understand that there is no one-size-fits-all approach to adoption. Concerns over costs or employee or customer friction can be evaluated when deciding on the right mix of modalities to use for MFA.

Below are the four general types of MFA factors, each providing a specific purpose for the protection and security of a user’s account.

1. Knowledge: Something Someone Knows

This is the most well-known and commonly used authentication factor: a piece of information that the user can easily supply when prompted. Some examples of knowledge include:

  • Passwords
  • Usernames
  • PIN
  • Email addresses
  • Answers to security questions

2. Possession: Something Someone Owns or Has

This usually refers to a physical object that the user will have on their person, such as a smartphone, smart card or even a physical security key.

3. Inherence: Something Someone Physically Is

This refers to physical attributes and is usually biometrics, such as the user’s fingerprints, face, eyes or voice. This is considered the most secure form of authentication since it is the hardest to replicate or fake.

4. Context: Somewhere Someone Is

This lesser-used authentication factor refers to where the user is physically located at the time of their login. The system will use either GPS data or the IP address to obtain a general location. If the address is unusual, the system can trigger an action, such as sending a unique code to that user’s device in order to verify that the user is indeed in that location, explains All Things Secured.

Your MFA Solution

The Migus Group can help you better understand and prioritize multifactor authentication and how its implementation fits into your organization’s identity and access-management policies. Contact us today to learn more.

Jake Wengroff writes about technology and financial services. A former technology reporter for CBS Radio, he covers such topics as security, mobility, e-commerce and the Internet of Things.