Nearly Two-Thirds of SMBs Do Not Use MFA; Cost is the Primary Barrier to Adoption
November 12, 2024 – NEW YORK, N.Y. – The world’s small and medium-sized businesses (SMBs) remain slow to adopt multifactor authentication (MFA) tools to protect their organizations and global supply chains from cyber attacks, according to a new study released today by the non-profit Cyber Readiness Institute (CRI).
CRI’s annual Global Multifactor Authentication Survey of nearly 2,300 SMBs revealed:
- More than half of global SMBs (58%) are not aware of the security benefits of MFA;
- Nearly two-thirds of global SMBs (65%) do not use MFA, and do not plan to implement it in the near future;
- An overwhelming majority of SMBs (85%) do not require the use of MFA by their customers nor their suppliers;
- Only one in five global SMBs (17%) have internal cybersecurity policies in place requiring MFA; and
- Cost is the No. 1 barrier to adoption (44%) among SMBs worldwide yet to implement MFA.
Adoption lags despite MFA being widely recognized as one of the most effective defenses against cyber attacks, adding vital layers of protection than can significantly reduce the risks of unauthorized access into organizations and their supply chains.
“As cyber threats continue to increase in frequency and sophistication, SMBs need to adopt tools such as MFA to protect their employees and their assets,” said Karen S. Evans, managing director of the Cyber Readiness Institute. “It’s no longer a luxury nor an optional security feature – it’s a fundamental necessity in today’s digital landscape.
“At the same time, we understand MFA and other aspects of cyber readiness at times can be intimidating and confusing, especially for smaller businesses that can’t afford dedicated IT resources,” Evans continued. “That’s why it’s so critical to understand just where SMBs stand regarding awareness and implementation of MFA, and what steps are needed to encourage wider adoption.”
Based on these survey findings, CRI has issued a “call to action” identifying four critical areas that must be addressed to drive wider adoption of MFA across SMBs globally:
- Communication: spreading awareness and education
- Cost: reducing financial barriers to adoption
- Internal and External Requirements: making MFA a standard practice
- Resources and Tools: supporting SMBs with clear guidance and technical help
MFA already has been adopted by larger organizations such as financial institutions, on-line retailers and other transaction-based businesses. It requires users to verify their identities through two or more factors, such as something they know (a password), something they have (a smartphone or security token), or something they are (biometrics like a fingerprint or facial recognition). For instance, after entering a password, users might receive a code or notification on their phone to confirm their identity.
This additional step makes it much harder for attackers to gain access, even if they’ve stolen passwords. According to the U.S. Cybersecurity Infrastructure and Security Agency (CISA), MFA users are 99% less likely to be hacked.
“By identifying real-world barriers to broader adoption, CRI aims to drive development of targeted solutions and educational initiatives that will benefit SMBs and secure global supply chains,” Evans said. “Through initiatives such as this annual survey and call to action, we’re committed to raising awareness and promoting the adoption of essential cybersecurity measures such as MFA to protect businesses from evolving cyber threats.”
The CRI is actively engaged in delivering practical solutions and extending support to SMBs challenged by cybersecurity issues. For more information about the survey, please visit: 2024 Global MFA Report.
About the Cyber Readiness Institute (CRI):
The Cyber Readiness Institute (CRI) is a non-profit initiative that provides free cybersecurity tools for small and medium-sized businesses. CRI’s tools and resources focus on human behavior and emphasize employee education and awareness to improve the security of global supply chains. The Institute is housed within the Center for Global Enterprise, a New York-based non-profit applied research organization. Member companies include Apple, Mastercard, Microsoft, T-Mobile, Center for Global Research and Principal Financial Group. ExxonMobil, General Motors and PSP Partners are founding members that continue to support the objectives and programs of CRI.
For more information about the Cyber Readiness Institute and its member companies, please visit https://cyberreadinessinstitute.org.
Additional support for the report:
CENTER FOR GLOBAL ENTERPRISE
“While the benefits of MFA are tangible and well-documented, the relatively slow adoption of these tools by small and medium-sized businesses raises cause for concern,” said Samuel J. Palmisano, chairman of the Center for Global Enterprise and former IBM chairman. “We encourage larger organizations, regulatory bodies, software providers and other influential members of the global supply chain to adopt and amplify CRI’s call to action to elevate awareness and utilization of these best practices over the coming year.”
MASTERCARD
“Mastercard has pledged to bring 50 million micro- and small businesses into the digital economy worldwide, a commitment that includes investments to support their cybersecurity and preparedness,” said Tim Murphy, chief administrative officer at Mastercard. “We are proud to work with CRI on these efforts, helping inform the programs and tools these businesses need to address the risk of cyberattacks and build resilience.”
MICROSOFT
“Nearly 350 million businesses worldwide use Microsoft Office 365 solutions and benefit from built-in MFA security through our Microsoft Authenticator tools,” said Amy Hogan-Burney, Vice President of Customer Security and Trust at Microsoft. “This extra level of functionality makes it easy for businesses of all sizes to seamlessly integrate cybersecurity into their day-to-day operations, protecting their customers, employees, partners and every organization in their supply chains.”
PRINCIPAL FINANCIAL GROUP®
“Protecting your financial health starts with safeguarding your own assets. Implementing MFA is a strong way for business leaders to contribute to a safer and more secure financial environment for everyone,” said Meg Anderson, chief information security officer at Principal Financial Group. “We are proud to support CRI in its efforts to educate these leaders about the benefits of these tools and to drive their adoption among small and medium-sized businesses globally.”
T-MOBILE
“T-Mobile is committed to providing small and medium-sized businesses the solutions they need,” said David Bezzant, Vice President of Sales, T-Mobile Business Group. “When coupled with our advanced 5G security solutions and mobile device management (MDM) solutions, non-phishable MFA security tokens either physical or digital can help these businesses further secure their organizations.”