Getting business buy-in to enforce multi-factor authentication

It's always best to make sure all the right people are aware of and support changes in the business - especially when it will start to affect them directly! Big changes that people notice tend to benefit from an executive sponsor to lend weight behind the change - you'll know better than us whether that makes sense for your organisation.

If you do choose to ask an exec to sponsor this initiative, you should make sure you cover the following:

  1. Why MFA is important. Broad strokes are good - but make sure you are able to describe an attack that MFA would prevent in simple terms. This is gold should they ever need to defend MFA to another exec - if you’ve had an attack in the past that could have been prevented by MFA then even better. See our blog post on the value of MFA as a starting point.

  2. Any risks and what you've done to mitigate them. You can read more about this in our article about risks we’ve identified through learning from past MFA deployments, and mitigations we’ve built into this plan.

  3. Costs. Will you be asking the exec to support you in requesting additional budget for hardware tokens or upgraded licenses? Fortunately in most cases new hardware or upgraded licenses aren't needed, but it’s good to make sure there are no surprises down the road.

  4. Process and timelines. MFA rollout across multiple platforms typically takes anywhere from a month to 6 months depending on the size of the organisation. If you are a smaller (say less than 50 employees) tech-savvy team you can aim for the lower end, otherwise, it might be smart to give yourself enough space to do it gradually. Walk them through this plan just enough so they have a feeling for what to expect, and what could cause delays.

  5. Let them know if you plan to include their name in comms to the rest of your team. If they aren't comfortable with that, they may not be a great fit for a sponsor.

Tip: As you plan for the discussion, write out your talking points and notes and follow the discussion with an email summarising those key points. You can use this email template as a starting point:

icon

Hi

< sponsor >
,

Just following up on the discussion we had around MFA deployment, and your assistance in sponsoring the initiative, with a few minutes for your reference.

Why we are doing this:

  • MFA is currently the control we are missing that is most likely to cause us problems going forward. These types of attacks are in the news on a daily basis, and seem to be costing businesses like ours a lot of money.

  • It is highly recommended by Microsoft, Google, Amazon, US and UK Gov. (MS says it prevents 99.9% of attacks against accounts, and Google uses similar numbers).

  • It will prevent attacks caused by one of our users choosing weak passwords, re-using passwords they have used on other websites (perhaps outside a work), or someone successfully phishing one of us.

Costs:

We don’t currently foresee any new costs beyond the time required for myself, and the IT team to implement this, which based on our plan looks like it will be on the order of days rather than weeks of effort.

Risks and mitigation - we’ve identified three main risks:

  1. User acceptance - we have made every effort to minimise the effort for users (e.g. reduce the number of MFA prompts, and even relax password policies once MFA is active).

  2. Emergency failures - we have a plan that we will fully rehearse to deal with a situation where anyone has been locked out of their account and needs to bypass MFA in an emergency.

  3. System integration - we will perform checks to make sure we won’t break any existing software before we enforce MFA.

Timelines:

This project will run mostly in the background, requiring periodic check-ins and ongoing support from the IT support team. We are aiming to get pre-start checks out of the way and the first batch of users enrolled in the next couple of weeks. Then gradually getting the majority of users on-boarded over the following month, before finally targeting an enforcement date 3 months from now on

< target  date >
if everything goes to plan.

Finally, just a reminder that I’ll be adding you as project sponsor on our

< internal wiki / company portal >
and emails that go out to the team.

Please let me know if you have any questions.

Kind regards,

We want to develop automations and resources that make this as easy as possible and we want your ideas and feedback! From developing the perfect presentation so you don't have to, to a bot that automates the whole thing - anything is possible!

Please contact us with anything you'd like to see that would make this easier for you.