Back to blog

Multi-factor Authentication: Why SMBs Need a Layered Security Approach

Small businesses are just as vulnerable to cyber and network attacks as large corporations since the main concern of hackers is to steal confidential financial information. Once they've seized the data they can use it themselves to compromise accounts or sell it to other criminals on the dark web. Here are realistic ways your SMB can fight attackers, using multi-factor authentication strategies.

Why Password Protection Should Be a Major Concern

Woman using a laptop

Passwords are routinely cracked by criminals and legitimate security professionals who hack computers for security testing purposes. CEO Jeremi Gosney of Stricture Consulting Group has demonstrated cracking over 10,000 passwords in 16 minutes. That fact alone should concern all website owners. The problem with security breaches is much more serious than the public understands due to the minimal focus of mainstream media coverage on security breaches. Only the biggest hacks involving popular entities seem to make occasional headlines.

Generally, any website login can be hacked by experienced hackers. It's more a matter of time and resources than hacking knowledge or skills. The most vulnerable sites are those hosted on old equipment with dated software or those that use weak passwords and other inadequate safeguards. Four-character passwords are the easiest to hack when you consider there are only so many mathematical combinations for such weak protection.

A simple step to enhance your protection: require at least 8 characters that include complex combinations of upper and lower case letters, numbers, and special characters.

Building a Strong Defense Against Hackers

While basic password enhancements are helpful, and frankly should be required practices, small businesses really should be implementing layers for security, also known as Multi-Factor Authentication (MFA). This strategy involves using various forms of data protection beyond just password and antivirus software, like advanced server protection, virtualization, segmentation, encryption, and/or firewalls. Multi-factor authentication is the use of protecting password breaches with extra barriers that create additional variables for identifying the account holder.

The core thinking behind multi-layered security is to make conditions as difficult as possible for hackers to get into systems and accounts storing sensitive information. Antivirus software alone can be easily hacked by the most advanced cybercriminals, this as one layer in your defense will provide another door behind it for a hacker to open.

Why the Multi-factor Solution Works

Even though the savviest hackers can eventually penetrate systems if they work at it long enough, the goal of most cybercriminals is to launch as many attacks as possible then exploit the most vulnerable sites. It's a numbers game since it's easier for them to focus on weak protection, rather than sites using multiple blockades.

Most banks and other financial institutions now require multi-factor authentication for users. This means you can no longer get into a bank account with just a user name and password, as you must also use additional forms of authentication to prove you're the legitimate account holder. Various types of authentication include the bank texting an SMS code to the user's smartphone or answering security questions.

Keep in mind that your mother's maiden name or favorite band information is dangerous to share on social media, where hackers research identifies with the goal of identify theft.

The three basic ways to verify user identity are:

  1. Something you know: names of people you know personally
  2. Something you have: codes or tokens
  3. Something you are: physical proof such as a thumbprint

Implementing Multi-Factor Authentication with Employee Awareness

Man working on laptop

Tech companies such as Google and Apple already use multi-factor authentication options for enabling stronger security. While you look at tools to build barriers of entry into your network, don't overlook a key first step: educating your staff about cybersecurity and why it's important. It does no good to just tell workers to create complex passwords if you don't explain why.

A recent Decision Analyst study for SecureAuth + Core Security found that 63 percent of survey respondents among organizations experience employee backlash over security measures involving passwords and authentication.

Many unsuspecting workers don't like to bother with creating complex passwords they can't remember or keep track of, so they just rely on simple passwords they use across multiple accounts. That's a recipe for disaster if you don't explain why that old method no longer works.

Set strict policies on who is allowed to access specific internal or external resources and clearly communicate these policies to all staff members who access your network. Let workers know that human error is a leading cause of security breaches, particularly when an employee is fooled by a phishing scam to click an infected email. Hackers regularly disguise themselves as trusted brands or even employers with similar email domains. By posing as an employer they can trick victims to give up passwords or sign in to accounts through fraudulent links.


Multi-factor authentication is one of the most reliable methods for causing hackers to give up. All businesses are vulnerable to cybersecurity breaches, so select several different security measures to put up as many walls for hackers to climb as possible. Get started building your multi-factor authentication for your small business with our tip sheet.

Managed Service Provider Tip Sheet