Cyber Readiness Institute Survey Highlights Critical Gaps in MFA Implementation Among U.S. SMBs


Awareness Without Action: SMB Awareness of MFA Benefits Fails to Drive Implementation

NEW YORK, November 10, 2023 – In an era where digital security is more critical than ever, the Cyber Readiness Institute (CRI) today released a survey that casts a spotlight on the concerning gaps between the awareness and actual implementation of Multi-Factor Authentication (MFA) among small and medium-sized businesses (SMBs) in the U.S. The study, encompassing responses from 485 businesses in May 2022 and a follow-up with 484 in October 2023, paints a detailed picture of the roadblocks SMBs encounter in fortifying their cybersecurity measures.

MFA has emerged as a frontline defense against cyber intrusions, yet SMBs exhibit varying degrees of adoption – either testing MFA in limited scopes, planning for its future integration, or remaining hesitant due to perceived complexity and resource demands. The trend indicates a growing recognition of MFA’s critical role in securing accounts and sensitive data. However, while adoption rates have been steadily increasing, the consistency of implementation remains uneven across different sectors and sizes of businesses.

Awareness vs. Implementation Gap

According to the survey, 56% of U.S. SMBs reported awareness of MFA and its security benefits, yet this awareness does not fully translate into action. Of these businesses, only 34% have consistently enforced MFA use across their systems and operations. This notable disparity between knowledge and application points to an urgent need for initiatives that not only educate but also assist SMBs in the practical implementation of MFA as a standard security practice.

Addressing the gap between cybersecurity awareness and effective implementation remains pivotal for protecting small businesses,” said Tom Burt, Microsoft Corporate Vice President, Customer Security & Trust. “A 2023 study using real‑world attack data from Microsoft Entra found that Multifactor Authentication (MFA) reduces the risk of compromise by 99.2 percent. Because of its importance, we took the step to automatically enable MFA by default for all new customers in 2020. MFA by default has also been rolled out to existing customers, including small businesses, since 2022.

Policy and Priority Misalignment

The data revealed a disconnection in policy and prioritization. While 63% of SMBs recognize the importance of MFA, only a fraction has established formal policies to ensure its implementation. There is an evident lack of structured planning, with many businesses not considering MFA a priority in their cybersecurity strategy. This gap indicates a pressing demand for industry leaders to craft strategies that emphasize the importance of MFA as a standard security feature.

Introducing new cybersecurity policies can present challenges, including internal resistance to change. To address these challenges, we prioritize clear communication and education to foster a culture of security awareness and make employees our partners in the process,” said Meg Anderson, vice president-chief information security officer at Principal Financial Group®. “We also work across the enterprise to ensure alignment with business objectives and secure the necessary resources.

Persistent Doubts

Even amidst advocacy efforts highlighting the critical role of MFA, the survey identified that approximately 17% of SMBs maintain doubts about the efficacy of MFA. This persistent skepticism signals the requirement for more compelling incentives and transparent communication to effectively convey how MFA significantly enhances cybersecurity defenses.

Inconvenience Concerns

The survey underscores the issue of employee resistance, with 24% of SMBs citing the inconvenience of MFA as a barrier to its adoption. This feedback suggests a significant need for the development and deployment of efficient, secure, and minimally disruptive MFA solutions to balance security and user experience.

Resource Constraints

Financial and resource limitations are highlighted as substantial impediments, with 28% of survey respondents indicating they found it challenging to allocate the necessary resources for MFA implementation. The data points to a widespread issue where SMBs struggle to provide investment and the technical support required for effective MFA integration. Addressing these financial and human resource constraints is critical to enabling a broader and more effective adoption of MFA across the SMB sector.

“The survey results are a call to action for CRI and industry leaders to intensify efforts in educating and supporting SMBs,” said Karen S. Evans, Managing Director of CRI. “It’s imperative that we address these gaps and barriers to elevate the cyber readiness of businesses integral to the U.S. economy.”

The CRI is actively engaged in delivering practical solutions and extending support to SMBs challenged by cybersecurity issues. For more information about the survey, please visit USA MFA Study Report 2023.

About Cyber Readiness Institute

Launched in 2018, the Cyber Readiness Institute (CRI) is a non-profit initiative that convenes business leaders from across sectors and geographic regions to produce free cybersecurity tools for small and medium-sized businesses. Its mission is to advance the cyber readiness of these SMBs to improve the security of global supply chains. CRI’s tools and resources focus on human behavior and emphasize employee education and awareness.

The Institute is housed within the Center for Global Enterprise, a New York-based non-profit applied research organization. CRI was co-founded by former IBM Chairman Samuel J. Palmisano and executives from Mastercard, Microsoft, ExxonMobil, and PSP Partners as a follow-up to the work of the President’s Commission on Enhancing National Cybersecurity (2016). Member companies include Apple, Mastercard, Microsoft, and Principal Financial Group. ExxonMobil and PSP Partners are founding members that continue to support the objectives and programs of CRI.