More than half of small business owners have implemented multi-factor authentication at their companies, a new study found. Pictured: A visitor tries out the Huawei P40 Pro smartphone at the IFA 2020 Special Edition consumer electronics and appliances trade fair on Sept. 3, 2020, in Berlin. (Photo by Sean Gallup/Getty Images)

A study released this week by the Cyber Readiness Institute (CRI) found that only 46% of small- and medium-sized (SMB) business owners claim to have implemented multi-factor authentication (MFA) at their companies.

The CRI study found that small business owners still rely mostly on usernames and passwords to secure critical employee, customer and partner data.

Of the businesses that have not implemented MFA, 47% noted they either didn’t understand MFA or didn’t see its value. And, nearly 60% of small business and medium-sized owners have not discussed MFA with their employees.

“We know nearly all account compromise attacks can be stopped outright, just by using MFA,” said Karen Evans, managing director of CRI. “It’s a proven, effective way to thwart bad actors. All of us —governments, non-profits, industry — need to do much more to communicate the value of MFA to SMB owners.”

Saryu Nayyar, founder and CEO at Gurucul, said this news raises some alarm bells. Nayyar said MFA has for several years been an effective tool for preventing account compromise attacks and there are inexpensive and even free tools like Google Authenticator readily available.

“Cybercriminals may steal passwords or purchase them on the dark web, but adding a second authentication factor prevents attackers from gaining access to accounts without a huge amount of effort,” Nayyar said. “MFA should be considered table stakes in protecting systems and data these days.”

Many SMB’s are struggling to enforce MFA because they don’t fully understand the risks associated with not requiring MFA, said Jason Middaugh, chief information security officer at Inversion6. Middaugh said SMB’s often get held up trying to implement MFA by trying to fully solve fringe cases such as: a few users still do not have smart phones, potential GDPR issues, or they feel users will resist the change/worry because it’s too complex. Instead, they leave the entire company exposed to the cyber threats of not protecting their identities with MFA.

“The risks of not enabling MFA could include the ability for an attacker to access all of your sensitive email, possibility for a hacker to masquerade and send messages to your customers asking them to pay a fraudulent bank account, access to sensitive information in cloud services such as payroll and bank account information — and the ability to change that information,” Middaugh said. “The thought from SMB’s is that a username and password is good enough, but in this day and age, a username/password is completely insecure. If you are only requiring username/password on an internet-facing application, it's only a matter of time before it’s compromised.”

Lack of security knowledge or awareness has for several years been a common concern for SMBs, said Matthew Warner, co-founder and CTO at Blumira. Warner said while a larger enterprise will often have a staff of cybersecurity experts, SMBs are usually doing more with less: an IT director or systems administrator may handle cybersecurity as well as a variety of other IT maintenance tasks.

“MFA is a relatively low-effort step for SMBs that can reap massive security benefits,” Warner said. “Organizations that already use Microsoft 365 or Google Workplace can often enable MFA for free, making it an affordable, easy win to achieve greater security maturity.”