Cybersecurity controls continue to evolve, just as threats and threat actors continue to organize and adapt to the new controls. Passkey authentication and zero-trust authorization are the talk of current times. Not there yet? Is multi-factor authentication still a “work in progress” for your institution? Don’t give up!
Does your organization still utilize some accounts with only single-factor authentication? First, identify the barriers to multi-factor authentication implementation for your organization. Organizational prioritization or technical limitations may be obstacles to MFA implementation for some systems or some accounts. Even if the organization has deemed MFA a no-go for all or some user accounts, it may be still an option that users can elect to implement. Promote this habit and reward it, whenever possible.
Can a subset of single-factor accounts be updated to multi-factor? In particular, consider technology staff accounts, leadership accounts, financial staff accounts and any accounts with administrative access. Ensure critical systems that support MFA have this in place, if possible.
MFA not an option? Add one, two, or even better—all five of these other safety measures:
- Require long 15 character+ passwords.
- Monitor accounts for suspicious login activity.
- Implement situational-based login security measures such as geoblocking.
- Delete unneeded/old accounts.
- Train users regarding password habits.
Raise awareness of any incidents where single-factor and weak password accounts are compromised to continue to educate staff and leadership about the risks and threats. An organization may make the decision to accept rather than mitigate a risk, but the key is this decision must be informed and ideally documented.
Reasonable cybersecurity is an expectation of stakeholders, patrons and families. Keep working on moving towards reasonable security by continuing to implement MFA, whenever possible. In the excitement of learning about and applying the safest measures, there is still value in pushing for improvement, and some improvement is better than none.