Last updated on February 24, 2023
At first glance, enabling Multi-Factor Authentication (MFA) for only some of your users sounds like a good idea. You can save money and time by only protecting the assets you deem most important for your company. Unfortunately, this idea only sounds good on paper. Not putting MFA on all your users is one of the worst things you can do. Here’s why you should deploy MFA for all your users right now.
Yes, It Can Happen to You
Even though cybersecurity awareness increases every passing year, some companies still think protecting only specific departments with MFA is good enough. Regrettably, the “it won’t happen to me” mindset is a widespread cognitive bias that makes people believe that their company will never fall victim to a cyberattack. Companies rationalize the threat of cyberattacks by undermining their severity, likelihood, and scope.
But here’s the issue. You may think that your business is not a prime target of ransomware attacks and data breaches. You may think hackers would not want to bother with a company like yours. You may think that since you protected your most important information, there is no need to protect everyone and everything. You may think it won’t happen to you. But hackers may think otherwise.
A popular myth is that hackers only target large companies to maximize their profit. Indeed, we mostly only hear about big enterprises getting hacked. But the reason for that is the newsworthiness of a big company’s safeguards getting compromised. In reality, small and medium-sized companies are as likely to get targeted by cybercriminals. In addition, small and medium-sized companies find it harder to remediate the financial and reputational costs of ransomware attacks and data breaches. A small company may not survive a cybersecurity attack and either go bankrupt or get into debt. Penny-pinching now may force you to spend thousands if not millions of dollars in the future.
No, All But One User Is Still Not Good Enough
Some companies believe that the likelihood of them getting hacked is low enough to neglect the deployment of comprehensive cybersecurity means like MFA. Some also believe that securing only their most critical applications and users is enough. Understandably, many organizations are tied with a tight budget, which leads them to think deploying MFA selectively would be an excellent money-saver. Then, some people do not know the dangers of leaving their applications and networks unprotected.
Shockingly, one compromised account is all a hacker needs to access your network connection, company server, corporate network infrastructure, and applications. If you use MFA to protect all your user accounts but one, this is still not good enough. Chances are, the malicious actor will hack the sole unsecured account and use it to do financial and reputational harm to your company. In fact, this is precisely how hackers operate. Hackers deliberately look for a weak spot in your infrastructure and try to exploit it. Sometimes hackers find a vulnerability and spend months before conducting a cyber attack. They may want to wait for a good time to do this when they have already prepared enough information and hacking techniques that will allow them to carry out a successful attack.
Yes, Cyber Threats Are Real
One of the most damaging types of attacks in the last few years was the ransomware attack.
Last year, the world’s largest meat processing company, JBS Foods, was targeted by a ransomware attack. The malicious attack made JBS close all of its beef plants in the United States. In the end, the company decided to pay the ransom of $11M.
A similar ransomware attack happened back in May 2021. The Colonial Pipeline fell victim to an infamous ransomware attack that locked up some of its systems for several days. The ransomware attack led to gas shortages in several US states. Finally, the company paid the ransom of $4.4M.
The Pipeline Colonial attack was possible because hackers managed to compromise a single poorly-protected virtual private network (VPN) account that did not have Multi-Factor Authentication (MFA) in place. In other words, the cyberattack resulted from just one user not being protected with MFA. Hackers only had to break a single password to earn $4.4M. If anything, successful ransomware attacks only encourage hackers to keep trying.
The good news is that Multi-Factor Authentication can protect you against ransomware. But there is one condition: You must deploy MFA on all your applications, VPNs, services, systems, and users. Only such airtight protection can prevent hackers from gaining access to your company resources. Many ransomware attacks start from a malicious actor gaining unauthorized access by exploiting an unprotected account. Securing all accounts without exception bolsters your safeguards against this ransomware attack vector.
No, You Will Not Get Cyber Insurance Coverage
There are specific requirements you have to satisfy to get cyber insurance. An insurance agency may not cover the breach or ransomware attack damage if you have not deployed MFA for all your users. As a matter of fact, most cybersecurity insurance companies deny coverage to companies that have not implemented MFA for all their users. A company without cyber insurance will have to cover all remediation costs out of its own pocket.
Likewise, selective MFA is likely not enough for your company to abide by your industry’s regulations. Even if company-wide Multi-Factor Authentication (MFA) for all users is not a requirement for regulatory compliance yet, it may be compulsory soon. Companies that deploy organization-wide MFA today will not have to worry about adhering to regulations tomorrow.
Yes, MFA for All Users Makes a Difference
Though using MFA to protect only certain users is still better than not using MFA at all, recent cyberattacks clearly show that even one unprotected account can be a proverbial key to your company’s back door.
If you have not deployed MFA in your company, we recommend you do it now for all your users to immediately decrease the likelihood of a successful cyberattack.
If you have already deployed MFA in your company:
- Ensure that MFA is enabled for all your users without exceptions (as well as all your stakeholders and associates if applies)
- Ensure that MFA is enabled on all your applications (as well as Remote Desktop Connections)
- Ensure that MFA protects access to your corporate network from outside (you must require MFA authentication during every VPN connection)
Fulfilling all three preceding requirements will considerably improve your security posture and prepare your company to face future cybersecurity incidents.
Rublon is Cost-Effective MFA Fit For Any Pocket
Looking for a cost-effective MFA solution that fits within your budget?
For just 2 USD a user a month, Rublon MFA is a solution for any pocket.
Sign up now and get a Free 30-Day Trial.