Too Costly, Too Bothersome: MFA Adoption Lags in SMB, Consumer Space
We know passwords have become less security protector and more security nightmare. But we continue to use them because they are an easy and cheap form of authentication, not to mention the familiarity. We know how to use passwords, even if remembering all of them isn’t easy.
Because we’re used to passwords and because they are relatively easy to deploy, they are used everywhere. Yet, as the “Verizon Data Breach Investigations Report” pointed out, 8 in 10 breaches involve a stolen or weak password. With data privacy front and center, thanks to the EU’s Global Data Protection Regulation (GDPR) and the California Consumer Privacy Act, it’s clear that we need to do a lot more to protect our data.
Security experts have pushed for multifactor authentication (MFA) as a better security alternative for years. We’re seeing more enterprises using MFA, but widespread adoption is still far into the future. There are two primary reasons: hesitation by SMBs to switch to MFA and own personal reluctance to use it when it’s offered.
Why SMBs Hesitate on MFA
According to a new study from WatchGuard Technologies, 61 percent of sub-1,000 employee companies think MFA is for larger enterprises only, while another 24 percent say it’s too costly and difficult to implement.
“With fewer IT resources and personnel, SMBs require solutions that are easy to implement and provision, intuitive to use and affordable,” said Alex Cagnoni, director of authentication at WatchGuard Technologies. “So far, most MFA vendors have failed to meet one or more of those needs.”
Unfortunately, SMBs appear to be correct that MFA adoption is out of their price range. Many solutions are too expensive to deploy and manage, Cagnoni admitted. “Some MFA vendors charge extra per feature, so their solutions can become very costly very quickly. Other services require complex MFA software to be installed and configured inside the network, dramatically increasing the total cost of ownership for customers and training requirements for end users.”
But, at the same time, if your company suffers a password-related breach, the costs of mitigation and fines could bankrupt you. The upfront cost of any security solution has to be taken into consideration, of course, but when it comes to security, the outlook has to address the “what if.” Do you pay upfront now or do you pay later?
Employees Reluctant to Use MFA
However, just because you deploy it doesn’t mean your employees want to use it. A study by SecureAuth + Core Security found that almost two-thirds of IT decision-makers surveyed said they have received pushback from other employees about using MFA. They don’t want to bother with downloading an app or use an SMS to add the extra layer of security. With that friction, organizations are slow to implement MFA, and when they do, they are doing so one step at a time because employees are so reluctant to change their behaviors.
“And with 25 percent of employees already using the same password for every account, according to a previous report, they are even more at risk of attack,” Tech Republic reported.
Because SMBs aren’t going to make the switch to MFA quickly, security and IT decision-makers will have to encourage better password management. In-house, they should require different passwords for each account or set up authentication algorithms to force regular password changes and updates. But they also should understand that MFA solutions aren’t out of reach.
“SMBs need to educate themselves on the MFA options available today to audit the costs and management requirements of each solution, and weigh them against their company’s security posture and needs,” said Cagnoni. “In the absence of MFA, cybercriminals can utilize a variety of techniques to acquire usernames and passwords, such as spear phishing, social engineering and buying stolen credentials on the dark web, to gain network access and then steal valuable company and customer data.”
It’s up to you. Do you pay now and get your employees on board with MFA, or do you risk paying a lot more later after a password-caused data breach?
