The U.S. Cybersecurity & Infrastructure Security Agency (CISA) published recommendations Thursday that addresses challenges in adoption of single sign-on (SSO) services by small and medium-sized businesses (SMBs).
The recommendations draw from a CISA study involving focus groups with stakeholders, including SMBs, SSO service vendors, managed service providers (MSPs) and network auditors, that aimed to identify stakeholders’ attitudes toward SSO adoption by SMBs and potential barriers to adoption. The recommendations are also informed by existing literature covering the topic of SSO use at SMBs.
The research helped identify several pitfalls, both financial and non-financial, that lead to hesitance among SMBs when it comes to implementing SSO at their organization. Additionally, the focus groups revealed that SMBs and SSO vendors had misaligned perspectives regarding the benefits of SSO, its costs and the technical expertise needed to implement it effectively.
The benefits of SSO for SMBs
The CISA publication emphasizes that SSO can significantly bolster cybersecurity for small and medium-sized businesses in several ways.
SSO provides a streamlined and centralized form of identity management that makes it easier for users to access their accounts and easier for IT departments to manage the user account lifecycle, the agency said. Without SSO, many SMBs rely on spreadsheets to manually keep track of accounts, and users are more prone to forget their passwords or reuse passwords across many accounts.
Despite its benefits, CISA found that many SMBs do not view SSO as necessary or as a priority, suggesting that more awareness and access to information about SSO’s benefits is a first step toward encouraging its adoption. However, even SMBs that recognize the importance of SSO and want to implement it face financial and technical limitations that may ultimately prevent them from doing so.
“SMBs are hesitant to pursue early adoption of new technologies as their main goal is maximize profits. However, they often face challenges determining which technologies to invest in, assessing the benefits of these investments, and finding reliable vendors that offer reasonable prices,” the CISA document stated.
Vendors encouraged to make SSO more attainable for SMBs
A common financial barrier preventing adoption of SSO technology by SMBs is the fact that SSO is often only available bundled with other services at a high-cost enterprise “tier” intended for larger businesses with higher headcounts. This disproportionately higher cost is sometimes referred to as an “SSO tax.”
CISA thus recommended vendors unbundle SSO from other costly services that will have less benefit for SMBs and offer more flexible SSO services tailored to businesses with a lower number of employees.
Another problem for SMBs is the lack of technical expertise and resources needed to effectively deploy an SSO system. CISA’s study found that vendors tend to believe their onboarding instructions are sufficient to enable customers to effectively implement SSO services, but SMBs, on the other hand, reported difficulty and confusion while rolling out SSO due to lack of adequate vendor support.
Additionally, SMBs may have difficulty selecting an SSO service that is compatible with their own legacy systems, compounding the problem. CISA thus recommended vendors work more closely with SMB customers, providing more upfront information and technical support to ensure SSO services can be implemented successfully.
Recommendations for SMBs and calls for more government support
SMBs should thoroughly assess their needs and limitations while planning for SSO adoption, taking into account the numbers of users, number of applications, security requirements and budget, CISA stated. Cloud-based solutions, which require less extensive infrastructure, were noted as potentially more affordable option for SMBs with restricted budgets.
CISA encouraged SMBs to evaluate and compare potential vendor choices based on features offered and compatibility with the organization’s current systems, and consider beginning with a pilot program involving a smaller number of users before attempting to roll out SSO across the entire organization. Adequate training of staff and continuous monitoring of the SSO system are also noted as key strategies for successful SSO adoption.
The document also encouraged support from government agencies and non-profit organizations toward aiding SMBs in adopting SSO and reaping its security benefits. Government agencies and non-profits can play a major role in educating businesses about the benefits and technical aspects of SSO adoption as well as provide support for selecting the right solution for a given business by publishing buyer’s guides.
Financial incentives, such as grants, can also be an effective way for governments to encourage SSO adoption by smaller businesses. Such financial incentives, along with other cost-saving measures like offering free consulting services, can take some of the financial burden off of SMBs and push them toward taking the step forward toward better security.