Cybersecurity is increasingly top of mind among owners and employees of small and medium sized enterprises—and for good reason.
In fact, about a quarter of all workers have fallen victim to a cybercrime; and according to the 2022 Verizon Data Breach Investigations Report, close to 50% of breaches were due to compromised credentials. Here’s the kicker: Small businesses are three times more likely to be targeted by cybercriminals than larger companies.
With so much at stake, it’s imperative that organizations of all sizes act proactively to safeguard their systems from outside threats. But determining the ideal solution isn’t always clear-cut.
For many businesses, multi-factor authentication (MFA) offers a perfect balance between security and ease of use. Small to medium enterprises, in particular, can benefit greatly from implementing this simple control.
Read on to discover how you can leverage MFA to protect your mid-market enterprise from cyber threats and GDPR fines.
What is Multi-Factor Authentication?
Most consumer-facing apps require only a “single-factor” authentication. A “factor” is a piece of information that only that specific user should know or have access to.
The three main types are:
- Something you know (PIN, passphrase, security question, etc.);
- Something you are (fingerprint, retinal scan, and other biometrics); and
- Something you have (cryptographic identification device, token).
As the name implies, multi-factor authentication is the process of confirming the identity of a user by requiring more than one of these pieces of information.
Why is MFA so important now?
As the world becomes increasingly digital, organizations of all sizes face a mounting number and variety of external threats. They’re doing a lot more damage, too.
As of 2022, the global average cost per data breach amounted to 4.35 million U.S. dollars, an increase from 4.24 million U.S. dollars in the previous year, and it keeps climbing.
The sad reality is that most every organization will experience a data breach at some point; it’s just a matter of time. This means that it’s up to you to take action to protect your business.
Which MFA solution should you choose?
Though there’s no “one size fits all” solution to authentication, keeping a few key things in mind will help you choose the right MFA solution for your business.
- Cost - Most MFA solutions are relatively inexpensive, though some are pricey. Make sure you know what you’re getting in before you buy.
- Ease of Deployment – An easy to deploy and manage MFA solution is critical. If it’s too complicated to set up, configure, and maintain, you’re not likely to use it. Or you won’t deploy it to all accounts, which is critical for effective use of this control.
- Your Users – Ease of use, along with clear training, will make or break the success of an MFA deployment. Providing users with clear, simple technology and processes to follow will ease the friction and resistance to the changes you’re presenting them
Deploy MFA Across the Entire Organization
It’s important to understand that ALL of your user accounts should be protected by MFA. In other words, don’t just protect the “important ones”.
Attackers regularly target lower-level employees to gain a foothold. From there, it’s usually quite easy to move laterally until you gain access to critical accounts like Domain Admin, or your executives credentials.
MFA with Virtual Tokens
Virtual tokens are a great option if you want to protect your employees from all types of cyber threats, including malicious software, phishing attacks, and man-in-the-middle attacks.
Unlike physical tokens, virtual tokens can’t be lost or stolen, unless the user loses their phone. (In that event, an admin can disable the token as soon as the user reports the phone as missing, so make sure that’s part of your user awareness training.)
Virtual tokens typically allow you to generate a single-use passcode every 30 to 60 seconds. Most can be used with any device or operating system. Some virtual tokens, like Symantec VIP and RSA SecurID Web, are accessible through the user’s browser. Others, like Duo and Google Authenticator, are apps available on Android and iOS devices.
MFA with Physical Tokens
Physical tokens, like the iGAGG and HID iCLASS SE, were some of the first tokens to be used for MFA implementations, but are falling out of favor compared to ease of use and deployment with virtual tokens. These tokens use an algorithm and a secret code to generate a one-time passcode that users enter along with their log-in credentials. Most physical tokens can be easily carried by employees, come in a variety of colors and styles, and can be given to users that don’t have the technology for virtual tokens.
Users in manufacturing facilities or in other countries, who may not have access to hardware to use a virtual token, may be good candidates for these devices. High security organizations that may not trust user provided smartphones may also use this older technology. Keep in mind that they’re not as easy to manage as virtual tokens, they’re batteries eventually wear out, and users tend to lose them more often than they would their smartphone.
Wrapping up
Multi-factor authentication is a terrific starting point for defending your business from cyber threats. While single-factor authentication is better than nothing, it does not provide enough security for most organizations. While it may be tempting to skimp on protection, you’re better off spending a little extra to make sure your data is safe than trying to deal with the aftermath of a breach.
