Step 1: Create a Committee
Instead of asking yourself “How do I implement MFA?,” re-angle your thought process to: “How do WE implement MFA?” While implementing MFA may be the responsibility of the technology team, successful adoption requires buy-in across the organization.
In her address to Congress in May 2022, Amy McLaughlin, Cybersecurity Project Director for CoSN, highlighted the importance of this mindset:
Your greatest tool in deploying MFA is to engage leaders from impacted departments. By design, MFA increases the amount of steps taken to access resources. However, having “boots on the ground” in respective departments helps ensure there are champions to explain the need and assist with adoption at each stage. Controlling change management is crucial to the successful adoption of any new technology initiative.
Step 2: Call Out Weak Points
The first item the committee should assemble on is documenting an inventory of existing resources: “What do we have today?”, “What do we use it for?”, and “What can we use it for?” are all questions that help determine what is missing in terms of security posture and assess your level of risk. This inventory can include devices, systems, applications, access points, and more.
Step 3: Create a Plan
The committee should be aware of the potential risks and create a plan to address them. While not every cybersecurity risk needs to be completely mitigated by the plan, it’s imperative to document all known risks, as well as a potential recourse for each.
For example, consider scenarios, such as:
- What happens if someone guesses the SIS administrator’s password?
- What about a student's password and gaining access to their accounts?
- What happens if we lose power in our on-premises data center?
- What do we do if we suffer a ransomware attack?
Use these documented risks to facilitate policies around mitigation and/or recourse by asking questions, such as:
- Can a product or human resource mitigate this risk?
- Can our own policies and user-behavior reduce this risk?
Step 4: Procure Necessary Resources
If it is determined that new resources are required after calling out the weak points and creating a plan, remember the impacted user base. This is critical, particularly in Education, because many two-factor authentication (2FA) and MFA products were designed with only the corporate employee in mind— subject to one function that values security above all else.
However, in Education, teachers and students are subject to the decisions of the committee, so the right balance between security and ease of use must be highly-considered for each individual.