Outsmarting Hackers Defending Your Business from Email Compromise Attacks
Overview
Glen Willis shares a simple way to drive real MFA adoption. Make it required, tune the rollout to fit your users, and plan a clean path from easier options to stronger factors. You will hear where SMS fits, why usability matters for uptake, and how to move the org forward without stalling the program.
- Set MFA as a clear policy requirement for key systems.
- Choose the path that gets the most people on board, then improve from there.
- Use SMS codes if it helps adoption, while planning the next step up.
- Revisit factors over time as users and tools mature.
Transcript
Glen Willis, Director of Cyber Technology with Kalles Group.
Most implementation, you want to collaborate with your users and kind of work with them and make it feel like the way that the implementation impacts them is critical.
MFA today really should be viewed, in my view, as a non negotiable. I would write that into your policy and say, MFA will be used for systems X, Y, and Z, right, those kinds of things, and just position it as a non negotiable.
Now, implementation can be tweaked a little bit, right? We’re seeing more and more and more where we used to just have to open an authenticator app and just click yes or click allow, whatever that was. Now we’ve got to kind of capture a code and enter that code elsewhere or click on the right code, wherever that is.
And we get asked all the time, is delivering codes via SMS, is that okay, right? My sense is that whatever’s going to get you to adoption is the right path for you. If you have a lot of users that aren’t the most tech savvy and they don’t use technology predominantly to kind of do their work, they don’t sit in a laptop like I do all day every day and do my work or what have you.
So whatever technology solution is going to get you to adoption is the way that I would kind of treat a way to soften that implementation. Everybody knows how to look at a text message to get a code and type the code across.
Now, a lot of people will say that’s not the most secure way to do that. And there is some validity to that perspective. It’s probably a five or ten minute conversation we could have on that.
But I would say make it non negotiable, require it. Then from an implementation standpoint, then think about your users and what’s going to kind of get you the adoption rate you want the most and tackle that technology solution.
And if you’re on SMS based delivery of codes, maybe you’re going to do that for a year or two, and then think about switching and kind of upgrading to something that might be a little bit more secure.
So that’s my feedback there.