Priority 1 – Deploy Multi-factor Authentication (MFA)

March 27th, 2024
Priority 1 – Deploy Multi-factor Authentication (MFA)

CISA in their January and August 2023 Bulletins again called out some of the most important ways that schools can protect themselves from cyber attacks. In both reports, CISA suggested that schools start their Cybersecurity journey by implementing six of the Highest-priority security measures.

  • Implement multifactor authentication (MFA) (CPG 2.H)
  • Fix known security flaws (aka patching) (CPG 1.E)
  • Perform and test backups (CPG 2.R)
  • Minimize exposure to common attacks (CPG 2.Q and 2.W)
  • Develop and exercise an incident response plan (CPG 2.S)
  • Implement a strong cybersecurity training program (CPG 2.I)

Today’s bulletin will talk about step 1 – Multifactor Authentication (MFA). MFA is a layered approach to securing online accounts and the data they contain. When you require a combination of two or more authenticators you are significantly less likely to be hacked. Why? Even if one factor (such as a user password) becomes compromised, unauthorized users will be unable generally to bypass the second authentication requirement, ultimately stopping them from gaining access to your accounts.

When we talk about two or more authenticators, what are we talking about? Authenticators can be: Something you know (like a password or PIN), Something you have (like an authentication app or a confirmation text on your phone), or Something you are (a fingerprint or face scan). You have probably experienced MFA on at least one of the systems you access either professionally or personally.

A joint study by Google, New York University, and the University of California San Diego found that using MFA can block up to 100% of automated bots, 99% of bulk phishing attacks, and roughly 66% of targeted attacks. Microsoft and the FBI have said that approximately 99% of the attacks are thwarted by implementing MFA.

Not only is this one of CISA’s top six recommendations, but your district auditors and the NYS Comptroller’s Office technology auditors are most likely talking to you about your MFA strategies and beginning to cite you in their reports for not having a comprehensive plan. (If they aren’t yet, they probably will be very soon)

Cyber insurance carriers for many school districts have also been requesting an MFA plan before renewing districts’ cyber insurance. Without one it could be possible that you will be unable to renew your existing insurance at your current level of coverage.

As you can see, not only will MFA help keep you safer, but it will keep you ahead of requirements handed down from outside sources. There are many different methods for implementing MFA in your district. Talk to your Tech Director about what you might already be doing, and what he/she recommends. We are happy to discuss options with you as well. If you would like to do some additional reading on your own, here is the link to CISA’s webpage on MFA:

This week’s suggestion:

  • Talk to your Tech Director about how you are currently using MFA and if there is a need to expand usage.

Do you have questions about where to start with MFA implementation? Are you feeling overwhelmed by the NIST Cybersecurity Framework and CPGs? Call CSI and ask how we can help you understand and help mitigate your Cyber risk. We have a specific service to help you get started on the NIST CSF journey. Just contact Lisa MacDougall ( or 845.897.9480.