Statistics Warn About the Urgent Need for MFA

January 21, 2021 | Posted in:

Cloud Security

Has your small and medium-sized business (SMB) moved to the cloud but has not enabled Multi-Factor Authentication (MFA)? This tool is a proven game-changer for data security in the fast-growing shift to remote work. So why do statistics show that enforcing MFA within organizations is very low? MFA is a cloud security essential and simply needs to be enabled and enforced to provide secure end-user access to your corporate data. Here is a look at some revealing statistics that show just how important MFA is at keeping cybercriminals out of your network.

The term MFA simply refers to a supplemental authentication method to your current username and password (credentials) requirement. There are three basic authentication elements for MFA that can be used to prove your identity before granting access to apps and files. These include:

  • something you have (token or smartphone),
  • something you know (password or PINs), and
  • something you are (thumbprint, voice, or face ID).

Adding a second layer of authentication is a low-cost, proven cloud security solution your business can employ to prevent 99.9% of account compromise attacks and avoid a data breach.

microsoftAlexander Weinert is the Director of Identity Security at Microsoft and spoke at a recent cybersecurity industry conference. Weinert stated that among enterprise cloud users, there is only an 11% MFA adoption rate. That means that 89% of users have not enabled the most effective tool against cyberthreats within their organization. Weinert also reported that on average, over 1.2M Microsoft enterprise accounts will be compromised each month. Of those 1.2M compromised accounts, greater than 99.9% did NOT have MFA enabled. The big question is “Why Not”? 

IRS-LogoBack in 2015, the IRS along with 42 state agencies and 20 industry offices formed the Security Summit partnership. The purpose of the group is to protect the nation's taxpayers against increasing identity theft refund fraud. Recently, in July 2020, the IRS partnership put out a press release titled, "Working Virtually: Use 'MFA' to protect accounts." The release called for all tax professionals to choose MFA whenever possible. This would help protect client data from cybercriminals. According to the IRS, there were numerous data thefts reported from tax professional offices this year. They also stated that most could have been avoided with the use of MFA to protect the tax software accounts. It went on to say that as of 2021, all tax software providers will be required to provide MFA on their products. These heightened threats are caused by cybercriminals exploiting the increased remote workforce. According to IRS Commissioner, Chuck Rettig, "Cybercriminals continue to find new ways to try accessing tax professional and taxpayer data. The 'MFA' option is an easy ... way to really step up protection of client data."

210px-Seal_of_the_Federal_Bureau_of_Investigation.svgIn March 2020, the FBI Cyber Division released a new Private Industry Notification (PIN). The report stated that cybercriminals increasingly target organizations with cloud-based email services. They are using a tactic known as Business Email Compromise (BEC) scams. The Internet Crime Complaint Center (IC3) began tracking BEC scams in 2013. They report that overall losses have increased every year since tracking began. In the years between January 2014 and October 2019, US businesses reported $2.1B in actual losses to the IC3. The report went on to outline how cybercriminals compromise email accounts with “phishing kits”. These kits were initiated by the cybercriminal through email communications. They would impersonate the compromised business to third-party vendors and customers. The end goal was to request pending or future payments. These payments would ultimately be directed to the cybercriminals' fraudulent bank accounts. The report concluded by stating SMBs are the most vulnerable to BEC scams, and IT administrators should take advantage of all protection tools like MFA, to better defend against targeted attacks.

It is evident from these statistics that cybercriminals favor compromised user credentials. Without MFA in place, data harvesting within personal and business accounts is much easier. The days of using only strong passwords to confirm user identity are behind us. The new minimum standard for securing end-user access to your data includes MFA. By requiring a user to authenticate before accessing data, you can prove their identity. The end-user will first need to know their username and password. Then, with MFA enabled, a second authentication method is required, like a user’s cell phone. Without that second method, the user cannot access the data. So even if the end-user credentials are compromised, it is unlikely that the cybercriminal also has the user's cell phone.
multi-factor-authentication-statisticsMFA is an easy-to-use, cloud security best practice that is compatible with a large range of applications. If you have a cloud solution in place, then MFA is already available to secure end-user access to nearly any core business application. Let MFA stand between the cybercriminals and your network by contacting us today and learn how to get started. Enable MFA throughout your organization with a simple, low-cost implementation project and Stop Cybercriminals in Their Tracks!

Multi-Factor Authentication Guide

Learn how MFA works to successfully protect your organization’s employees, clients, and data. Read the MFA Guide.


For more information on MFA and the role it plays in a greater cloud security strategy, connect with Systems Engineering at 888.624.6737 or info@systemsengineering.com. Clients, please reach out to your Account Manager directly.