Most Small to Mid-Sized Organizations Don’t Use Multi-Factor Authentication

Published

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

While only 38 percent of large organizations don’t use multi-factor authentication to protect user accounts, 62 percent of small to mid-sized organizations do not use MFA, a recent KnowBe4 survey of 2,600 IT professionals found.

Similarly, almost 97 percent of large organizations have an enforced password policy, compared to just under 88 percent of small to mid-sized organizations.

Forty-nine percent of large organizations believe their current password policy is insufficient, while 48 percent of small to mid-sized organizations think their password policy is good enough.

“Passwords are a known weakness in corporate security and have come under more intense scrutiny recently,” KnowBe4 CEO Stu Sjouwerman said in a statement. “Most organizations have password enforcement in place, but most aren’t taking it seriously enough by not enforcing policies beyond the normal number and letter character minimum and not requiring multi-factor authentication.”

Getting Access

The impact can be significant. A recent Thycotic survey of more than 250 hackers at Black Hat 2017 found that 32 percent of respondents said accessing privileged accounts is the easiest and fastest way to get at sensitive data, while 27 percent said the same of accessing email accounts.

When asked who or what is most responsible for security breaches, 85 percent of respondents named humans, followed by unpatched software (10 percent) and insufficient security technology (5 percent).

Notably, the two technologies that hackers see as the biggest obstacles to access are multi-factor authentication (38 percent) and encryption (32 percent).

“In today’s connected world, organizations can no longer rely only on the traditional cyber security perimeter controls,” Thycotic chief security scientist Joseph Carson said in a statement. “The new cyber security perimeter must incorporate an identity firewall built around employee and data using Identity and Access Management technology controls which emphasizes the protection of privileged account credentials and enhancing user passwords across the enterprise with multi-factor authentication.”

Password Reuse

A separate Wakefield Research survey of 1,000 U.S. adults, sponsored by SecureAuth, found that fully 81 percent of respondents use the same password for more than one account. Among millennials, that rises of 92 percent.

Thirty-six percent of respondents said they use the same password for 25 percent or more of their online accounts.

“Since many customers are not taking security into their own hands, it’s important for organizations to protect consumer data, giving customers confidence that their data is being taken care of while still providing an ease of use to their service,” SecureAuth CEO Jeff Kukowski said in a statement.

Still, 86 percent of respondents said they would use two-factor authentication if it was offered — and 52 percent say their use 2FA for their banking/accounts, 39 percent say they do so for their email, and 27 percent do so for their social media accounts.

Password Practices

Separately, a recent Dashlane study found that 46 percent of consumer websites, including Dropbox, Netflix and Pandora, and 36 percent of enterprise sites, including DocuSign, Freshbooks and Amazon Web Services, failed to implement basic password security requirements.

The researchers were able to create passwords using just the lowercase letter “a” on Amazon, Google, Instagram, LinkedIn, Venmo and Dropbox.

“It’s our job as users to be especially vigilant about our cyber security, and that starts with having strong and unique passwords for every account,” Dashlane CEO Emmanuel Schalit said in a statement. “However, companies are responsible for their users, and should guide them toward better password practices.”

Jeff Goldman Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

This field is required This field is required

Get the free Cybersecurity newsletter

Strengthen your organization’s IT security defenses with the latest news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

This field is required This field is required