By Adrian Jones, CEO at Swivel Secure
With the sharp rise in cybercrime, it is a growing concern that irrelevant of size, geography, or industry, businesses could be at risk of cybercrime, if they have not taken precautions to protect it.
With technology constantly evolving, many organisations are choosing to deploy a multi-factor authentication (MFA) solution, rather than a two-factor authentication (2FA) solution because of the increased protection it provides their business.
For example, if a business has data that is perceived as critical and a core part of the business, such as patents or customer data, protecting it will full MFA would ensure the users accessing that information are legitimate. Proving their identity with something that they have (mobile device), something that they know (PIN or one-time code) and something that they are (fingerprint).
If this could be utilised dynamically in the business so users can only authenticate with methods appropriate to the information they are trying to access, then it also ensures efficiency is optimised without compromising security. But how much does a business have to compromise when it comes to the investment?
many organisations are choosing to deploy a multi-factor authentication (MFA) solution, rather than a two-factor authentication (2FA) solution because of the increased protection it provides their business.
Upfront investment considerations
There are initial upfront costs including licenses and hardware needs, plus Professional Services depending on change control requirements to reduce the burden on internal IT professionals.
Businesses will also come up against help desk costs during deployment for end-users, and the shipping of the tokens if an organisation chooses to purchase hardware tokens for authenticating their stakeholders.
Other upfront costs could be less tangible such as training and a price attributed to the increased productivity to enrolling users to authenticate using the platform.
However, whether the costs or tangible or not, the total cost of ownership (TCO) is sometimes overlooked with the initial enthusiasm to minimise disruption of network restructure or to switch authentication solution.
Considering total cost of ownership of your new solution
Once businesses have deployed their solution and the training has started to pay dividends, with a decrease in calls for assistance; teething problems have become more of a blur than a nightmare, businesses then receive their invoice for the maintenance renewal.
No sugar coating it – maintenance renewal can be very expensive, and the costs are not always transparent during initial discussions. With focus on the proof of concept (POC) and ease of deployment, it is easy to see why ongoing costs are not always discussed or explored.
Ongoing maintenance costs can include help desks costs for end-users or IT admin time for administrators. Some suppliers will also charge for patches and upgrades, new connectors or integrations, and even data centre charges such as utility costs.
maintenance renewal can be very expensive, and the costs are not always transparent during initial discussions.
Implementing a solution like MFA is no mean feat and not surprisingly, some suppliers will rely on businesses stomaching the large ongoing maintenance costs because the thought of going through the whole exercise again is just too much to bear.
It sounds simple, but ensuring businesses perform due diligence before signing on the dotted line is essential, if they don’t want any nasty surprises after smugly surviving the first twelve months.
Everybody wants an easy life, especially when it comes to deploying something like MFA within their organisation, but it’s easy to get wrapped up in the ‘plug and play’ selling point, without realising the hefty invoices that will follow.
To help businesses ask the right questions when they start exploring MFA solutions, here are some recommendations that should be considered at the outset.
Ongoing maintenance costs for administrators:
- Are there any costs associated with the support for hardware and software?
- What are the costs for patches and upgrades?
- Is there a cost for additional connections or integrations?
- Are there any data centre charges?
- What is the charge for IT admin time?
Ongoing maintenance costs for users:
- Is there a cost for lost or damaged tokens?
- What are the costs for token license renewals?
- Are there any shipping costs involved?
- What are the costs for help desk for users?
Costs associated with productivity
As well as ongoing maintenance costs, other costs such as those associated with productivity continue to grow in importance. It is easy to see why the costs associated with productivity is a big advantage, with the senior management team keen to ensure both the implementation of the MFA solution, and the continued authentication of users bring minimum disruption to the business.
ensuring businesses perform due diligence before signing on the dotted line is essential.
Time per authentication can be a big selling point, but ensuring the chosen solution incorporates features such as risk-based authentication (RBA) as standard, means the user will only ever have to authenticate with the appropriate level or method. For instance, if they are working in the office and logging into Office 365, they may just require one method or factor. If the same user is trying to access their customer relationship management (CRM) database remotely, using a personal device, they may require full multi-factor authentication. Even then they may be denied access, depending on how the administrator has set them up.
The point is, a dynamic solution can provide the appropriate level of authentication per user, per application basis, ensuring productivity is maximised, without compromising security. Some MFA providers automatically include the RBA feature as standard, but most will add a surcharge to the license.
Full functionality, accessibility and configurability as standard
Each organisation has different architecture and this will impact the requirements. However, some features are universal and designed to provide:
- Efficiency such as single sign-on (SSO), where users only need to authenticate once to access all of their applications
- Flexibility such as RBA
- Productivity with user portals which allow users to reset their PINs and provision their mobile device autonomously
Other surcharges can be added for each additional method (factor) of authentication. Using a solution with RBA might provide both increased flexibility and productivity, but if businesses get charged for utilising more than one authentication method, then it will counterbalance the advantages. Ensuring users have accessibility to all available methods of authentication as standard, will ensure they benefit from features such as RBA without the added cost of using more than one factor.
a dynamic solution can provide the appropriate level of authentication per user, per application basis, ensuring productivity is maximised, without compromising security.
Overall, once a business has made all its decisions and found the right solution, they need to question the likelihood of any requirement to amend the configuration, software or connections in the future. This is likely to cost the organisation considerable investment, so ensuring they understand the configurability and adaptability of the solution is paramount.
Documenting the differences between suppliers is never going to be easy. However, considering the full offering including features, factors and on-going maintenance costs (for both administrators and end-users), should help to illustrate the full investment of implementing the solution.