Demonstrating a complete lack of focus on the need for additional authentication factors, surprising new data highlights a material security gap that enables cybercrime.

I’ve previously covered industry data that points to the overwhelming majority of cyberattacks use valid accounts (which puts harvesting credentials as a primary attack focus). But new data from MFA hardware vendor Yubico in their State of Global Enterprise Authentication Survey puts a clear focus on the problem – organizations just aren’t implementing multi-factor authentication.

According to the report, a third or less use some form of additional authentication factor:

  • 33% use Mobile/SMS pushes
  • 30% use a Password Manager
  • 29% use a mobile push authentication app
  • 20% use hardware keys

What’s more shocking is that 59% of employees rely on simple username and password combinations to authenticate.

This isn’t good folks.

All it takes is one really good social engineering phishing attack and threat actors will have one or more sets of your employee’s credentials. And with no additional authentication factors, cybercriminals have the keys to whatever corporate kingdom the compromised employee has access to.

So, first off, implement MFA. Across the board for everyone. No exceptions.

Second, implement Security Awareness Training – again, across the board for everyone, so that every user is educated on the state of phishing and social engineering attacks, and can help avoid providing threat actors with usernames and passwords (remember, even those orgs with MFA in place are being attacked with MFA Fatigue attacks – making it necessary to train everyone, regardless of MFA status).