More than half of small and medium-sized businesses (SMBs) are not using two-factor authentication (2FA) – and they should do it now. That's the view of Jen Easterly, director of CISA (Cybersecurity & Infrastructure Security Agency), citing a recent Cyber Readiness Institute survey.
“As the nation’s cyber defense agency, we know that raising the cybersecurity baseline is a national security imperative,” Easterly said. “The truth is, we need small and medium-sized businesses to be secure in order to protect the whole cybersecurity ecosystem, and that means they need the tools, the knowledge, and the impetus to enforce multi-factor authentication."
CISA is "on a mission to encourage organizations of all sizes – and Americans themselves – to use more than a password and enable multi-factor authentication," Easterly added. As a proud member of CISA's Joint Cyber Defense Collaborative (JCDC), we here at BlackBerry wholeheartedly concur.
The tools to implement 2FA are freely available. So why are 54% of SMBs failing to take advantage of it? In most cases, it's a lack of knowledge and experience: 55% of respondents said their organizations are not “very aware” of MFA (multi-factor authentication) and its security benefits.
This lack of clarity or conviction about the importance of MFA underscores another, perhaps greater problem. When businesses that are critical to our national infrastructure — as many SMBs are, whether they know it or not — don’t implement even the "low-hanging fruit" options to protect their businesses, the likelihood of equipping themselves with more advanced cybersecurity measures seems unlikely.
Take Zero Trust. MFA can be considered a gateway, an easy and often essentially free first step, to implementing a robust Zero Trust strategy or network.
How Does 2FA Contribute to Zero Trust?
Two-factor authentication is almost the least you can do — and probably the easiest thing — to start your journey toward a full Zero Trust architecture. It also can be the lowest cost method to deter and thwart a very expensive cyberattack. Zero Trust considers two approaches: identity-centric and network-centric. And these can be expounded on by examining the National Institute of Standards and Security’s (NIST) publication 800-207 core principles:
- Continuous verification: Where we’re always verifying access, all the time, for all resources.
- Limit the blast radius: Minimize impact if an external or insider breach occurs. We often achieve this by segmenting larger networks and resources into smaller pools and restricting access and crossflow between the pools.
- Automate context collection and response: This principle encourages CISOs and companies to invest in some cyber defense capability that can automate the collection of log data and artifacts and has the built-in intelligence to apply context to what is happening at any given moment in time. There are more than enough robust solutions on the market that can help enterprises of all sizes with satisfying this principle.
What Are Examples of 2FA?
Let’s focus on continuous verification and 2FA. What exactly is two-factor authentication, which is often called multi-factor authentication?
Two-factor authentication is based on the core principle of combing something you know and something you have in order to gain access to your company’s network and resources.
For example: Having a Common Access Card (card with a magnetic chip) and knowing the associated pin number that goes with that card is an example of something you have (the card) and something you know (the pin). Also, many of us use applications that not only log you in with your user ID and password, but they’ll also text you a code to your mobile device to ensure it is you.
The Login/Password is something you know. Having the mobile device in your possession to retrieve the verification code is something you have. Perhaps you’ve seen the small RSA token device that people have on their keychain or wear on a lanyard. That is another example of something you have in your possession that supplies a one-time passcode (OTP) for only that instance of access.
2FA is now common for access to your Google Account, Twitter, LinkedIn, Facebook, etc. It’s also used in Windows® and Office 365® environments and with their apps like Teams, as well as other collaborative tools. With applications, it’s generally as easy as turning it on and indicating how you’d like to receive the codes: text, email, or phone call.
Why Are SMBs Hesitant to Implement Two-Factor Authentication?
If two-factor authentication has become extremely common, then why are so many small and medium-sized businesses failing to adopt this practice?
According to a 2018 Tech Republic survey, 61% of SMB respondents believed 2FA and multi-factor authentication (MFA) are only for large enterprises. That’s an interesting perspective. Whatever led them to that assumption?
Research revealed another factor here as well. Many SMBs believe it requires a high investment and is overly complicated, perhaps involving expensive hardware and complicated processes to integrate into their current architecture.
And finally, some simply don’t understand the alternate methods that work with 2FA. For example, some organizations don’t allow personal devices in the office. How do you get your code if you can’t receive text, or you can’t have your personal device on you to retrieve it?
It can easily be done, because there are multiple ways to have the code sent to you, or to enable the two factors. For example, the application can dial your office desk phone and provide the code, or simply ask you to push a series of buttons to verify you are you.
But there is also something else at work here. Many of these perceived obstacles to implementation may be based on outdated or inaccurate information.
Getting Started with Two-Factor Authentication
How can smaller and mid-sized organizations think about 2FA or MFA and start down that road? And what should you expect if you do so?
First, we think the smaller the scale of your SMB enterprise, the easier it can generally be to implement 2FA. The fewer user and admin accounts requiring authentication, and the fewer network resources to manage, the easier both implementation and management can be.
Secondly, turning on 2FA is presently natively available in Windows and can be set up in Active Directory for all your users and admins. There are also Linux® modules for enabling 2FA on Linux and there are plenty of 2FA software solutions at all price points that easily integrate into your Windows, Linux, or macOS® environments.
Another advantage of implementing two-factor authentication is the “how-to” challenge. The fewer employees you have, the faster it will likely be to train team members across the organization. And it is also easier to ensure training completion and effectiveness across an SMB versus a large enterprise.
And finally, there is plenty of help for accomplishing this key step toward a Zero Trust environment. CISA’s guide, Implementing Strong Authentication, is an excellent resource.
Also, many vendors stand ready to assist SMBs through their analysis, decision, acquisition, and Zero Trust implementation.
CylanceGATEWAY™ is a fantastic option for adopting a Zero Trust as-a-service approach. It helps improve your overall risk posture by implementing a dynamic, least-privilege network access model and adaptive identity-based controls, which are all critical components of a Zero Trust Architecture.