Smaller companies are urged to adopt multifactor authentication

Yet a survey of nearly 1,400 small and medium businesses globally by the US-based non-profit Cyber ​​Readiness Institute, and published today, found that 55% of companies have not installed multifactor authentication. Of those who have, only 28% require employees to use it.

“We know that almost all account compromise attacks can be prevented simply by using MFA. This is a proven, effective way to thwart bad actors,” said Karen Evans, managing director of CRI, which was founded in 2017 by small companies. The group was formed by cyber security experts from the public and private sector who were part of a federal task force to enhance cyber security across the country.

Jane Easterly, director of the Cyber ​​Security and Infrastructure Security Agency—the top cyber arm of the US government—said that part of the problem with adoption is how industry and government communicate security concepts in the private sector. He added that technical terms like MFA can often be misleading and spoil the message.

CISA, an offshoot of the Department of Homeland Security, recently promoted MFA as a simple solution to prevent common cyber attacks through its “More than a Password” campaign.

“Cyber ​​security isn’t about technology and it’s not about the code; it’s about the people,” Ms Easterly said. “It’s about people from a human behavior standpoint, but it’s also about people recognizing how they’re doing things and how they can reduce that risk with some very simple things. “

Hackers can often gain access to systems with brute force by purchasing violated passwords on darknet forums or by trying out millions of combinations of letters and numbers. An authorization request for a login sent to a cellphone or email account adds an extra layer of security that can block most unsophisticated access attempts, even if they have a password.

The government has established MFA as a best practice. In a May 2021 executive order, President Biden Told all federal agencies And government contractors will implement the MFA as part of their basic cyber security measures within 180 days.

The CRI survey also found that nearly 60% of respondents said they had not discussed MFA with their employees. Communicating the value of the MFA, said Ms. Evans, who was chief information officer at the US Department of Homeland Security until 2021, is an area where the cybersecurity industry needs to do more.

One barrier to MFA is pushback from employees or customers who don’t want to be forced through multiple steps to log into the system, said Megan Anderson, chief information security officer at the insurance and investment management company.

principal financial group,

For businesses in highly regulated sectors such as financial services, the MFA is no longer optional.

When she became CISO at her company 14 years ago, she said, the conversation about MFA was often about how to persuade people to use it.

Then, as soon as the rules changed, it was: “We must take this action,” she said.

More changes are coming in the widespread use of passwords. in early May,

Apple Inc.,

Microsoft Corporation

And

Alphabet Inc. of

Google jointly said they will begin moving customers away from passwords as their primary means of authentication.

Instead, they plan to expand support for the passwordless standard created by the Fast Identity Online Alliance, or Fido. The standard supports biometrics, security tokens, contactless communication and other technologies to authenticate users.

As the Fido mechanism rolls out over the next several years, passwords should be extended tentatively to make companies more secure, said CISA’s Ms. Easterly.

“Enabling multifactor authentication is the most important thing any person, any business can do,” she said.

write to James Rundle et James.rundle@wsj.com