person entering password on phone

MFA for SMBs: 3 Barriers to Adoption and How to Overcome Them ASAP

While business behemoths often steal the economic headlines, it’s small and medium businesses (SMBs) who really steal the show. For context, the U.S. Small Business Administration reports there are 32.5 million small businesses in the United States, compared to only 20,516 large businesses. This means that 99.9% of all U.S. firms are considered to be small businesses, which are generally defined as independent organizations having fewer than 500 employees.

And while the headlines might suggest that cyberattacks only impact large organizations, their smaller counterparts are equally vulnerable to these attacks and their related consequences.

Consider this from Cybersecurity Magazine:

  • 43% of all data breaches target SMBs, but only 14% of SMBs consider their cyberattack and risk mitigation ability as highly effective
  • 43% of SMBs do not have any cybersecurity plan in place, with 52% of SMBs having no IT security experts in-house
  • 83% of SMBs are not financially prepared to recover from a cyberattack

But also consider this: 80-90% of cyberattacks could be prevented by the use of multi-factor authentication (MFA).



With this much protection offered by a single solution, what should SMBs know about MFA? And how can they work to adopt it more effectively?

A Quick Introduction to Multi-Factor Authentication

If you need an introduction to multi-factor authentication, or MFA, the concept is relatively simple. Instead of using a single authentication factor, like a standalone password, MFA solutions verify a user’s identity using a combination of a variety of factors, such as a smart card, security key, OTP token, PIN, fingerprint, voice recognition — and the list goes on.

The combinations of how MFA can be deployed are numerous, but one of the most common use cases includes a password connected to a username, followed by a verification code sent via text message or email. This approach helps ensure that a user is indeed who they say they are, preventing bad actors from accessing sensitive data stored in a shared network, for example.

To further explain the power of MFA, the technology can be used to better protect critical resources for SMBs, such as:

  • Databases and Applications — Access to databases, including sensitive HR information like payroll, employee records and financial numbers, can be protected using smart cards, security keys, one-time-password (OTP) tokens or mobile authenticators as a second verification factor when logging in to those applications
  • Employee-Issued Computers and Mobile Devices With employees working in multiple places using multiple devices, MFA can help safeguard these devices at home and in remote offices by adding a second layer of authentication to the traditional password through a security key or smart card
  • Multi-User Devices — For organizations that use shared devices, such as a shared workstation, MFA enables those employees to easily and securely log in to shared computers and devices in industries like retail, manufacturing and healthcare
  • Networks and Servers — With networks being one of the most targeted areas for cybercriminals, secure VPNs and servers make it easy for users to safely access the resources they need — even when using a public network

With all of these benefits and protections in mind, one might wonder why more than half of SMBs have yet to implement a cybersecurity policy leveraging MFA.

Barriers to Adoption of MFA for Small and Medium-Sized Businesses

Although MFA offers a straightforward solution in reducing risk of cyberattack, most SMBs have yet to take advantage of this technology. This is understandable as business owners and leaders must wear multiple hats, juggling competing priorities with often limited budgets.

According to the Cyber Readiness Institute, when we dive deeper into the details, there are three key barriers to MFA adoption:

  1. Lack of Awareness ­— 55% of SMBs are reported to remain unprotected because they’re simply unaware of MFA and its benefits to their organization
  2. Limited Understanding — Beyond a lack of awareness, 30% of business owners said they don’t utilize MFA because they simply don’t know how it works. In addition to the fundamental functionality, there are a variety of MFA options to consider, including a range of form factors that can be utilized to best meet an organization’s needs.
  3. Perceived Inconvenience — 20% of SMBs believe MFA is too inconvenient, when in reality, we’re all more familiar with the concept than we think

How Smaller Businesses Can Best Implement MFA

In the rapidly evolving threat landscape, SMBs must find ways to better protect themselves and their sensitive information. MFA can serve as a fundamental piece of a larger cybersecurity puzzle for small and medium businesses by allowing them to quickly and easily increase security and convenience.

For example, implementing MFA allows these organizations to eliminate reliance on passwords, which not only increases security, but also improves user experience. In addition, MFA facilitates a safer remote and/or hybrid work environment so employees can securely access necessary information from a variety of locations and devices.

So what should decision-makers know about MFA for their SMB? Take a look at these guidelines to help find the right technology solution and provider for your needs:

  • Ease of Use — The right MFA solution should offer a variety of authentication methods, but should also be easy to adopt and use across the organization. After all, this added security measure is there to provide assurance and convenience — not to make life more difficult.
  • Multiple Methods and Form Factors — Determine the best combination of authentication methods and form factors. Some providers offer only a small selection, which can tie you down to very basic and inflexible options that do not fully meet your unique needs.
  • Easy Deployment and Management — Time is money, especially for SMBs. Some solutions can take months to deploy, require extensive training and new installation codes, as well as potential overhauls to existing applications. Look for a solution that can be up and running in days.
  • A Complete Solution — Any MFA solution should provide comprehensive security across all of your assets, including your PCs, mobile devices, applications and networks
  • Compliance — Compliance impacts businesses of all sizes, particularly those in regulated industries. As such, be sure to find a provider that meets evolving industry standards, including data protection such as GDPR and CCPA.
  • Adaptability — As your business grows, your security needs will also evolve, with some users or parts of your business requiring more security than others. Make sure your provider allows you to scale and adjust accordingly.

Leading and growing a smaller business is a big challenge. Fortunately, adopting MFA provides a safety net to help thwart cybercriminals, protect your business’ reputation and most importantly, help protect your bottom line.

Want to learn more about multi-factor authentication for smaller businesses? Download the eBook >>

Andrew Bull is the global Sales Director of the Workforce Authentication solutions within HID’s Identity and Access Management portfolio. He brings over 25 years of experience in physical access security. Prior to his current role at HID, he supported HID SAFE within global banking organizations and other solutions within PACS. Andrew previously worked for JCI (Cardkey) and Honeywell. As an active member of UK ASIS Chapter, he enjoys speaking on a variety of identity and access management topics.

RECENT POSTS