The Case For Federal Regulations In Cybersecurity: Requiring Passwords And Multifactor Authentication (MFA)
CIO/CTO of RHR International. Adjunct professor at DePaul University, board member, trusted advisor and speaker.
As our world continues to move entirely online, the need for thoughtful cybersecurity has never been more urgent. Almost every aspect of modern life, from social activity and business to healthcare and banking, depends on the internet.
With these new abilities and conveniences comes cybercrime. Cyberattacks are becoming more frequent and sophisticated, and companies and individuals are increasingly vulnerable to hacking, breaches and identity and data theft.
Even though cybersecurity is a hugely complex and evolving field, one thing is absolutely clear—basic protections such as strong passwords with multifactor authentication (MFA) are essential. To ensure minimum security across the digital landscape, the federal government must create regulations that mandate these basic measures for all companies with a web presence.
The Growing Threat Of Cybercrime
The rise in cybercrime is staggering. Global cybercrime costs are expected to hit $10.5 trillion annually by 2025, up from $3 trillion in 2015. This includes everything from stolen money and intellectual property to recovery after a data breach. The Federal Bureau of Investigation (FBI) reported a record number of cybercrime complaints in 2022, with losses totaling over $10 billion in the U.S. alone.
Businesses, regardless of size, are prime targets for hackers. With 43% of cyberattacks aimed at small businesses, small and medium-sized businesses (SMBs) are the most vulnerable due to their low expertise and investment in cybersecurity.
The consequences of cyberattacks are pretty dire—not only can they cripple a business financially, but they also erode trust with their customers. Repeated breaches lead to losing customers, lawsuits and reputational damage. Large corporations’ fallout from a data breach can involve multi-million-dollar fines, as seen in cases like the Equifax data breach, which resulted in an over $500 million settlement in 2019.
Why Federal Regulations Are Necessary
The cybersecurity landscape is fragmented. Some businesses invest heavily in protection, and others do the bare minimum. This disparity creates a situation where vulnerabilities in one company are exploited to gain access to more extensive networks and impact entire supply chains. For example, the infamous Target data breach in 2013, which exposed the credit card information of over 40 million customers, allegedly originated from a small HVAC subcontractor with poor security practices.
Despite this, many businesses still don’t enforce even the most basic security measures like strong passwords with MFA. A 2021 survey by LastPass found that only 57% of businesses used MFA for employees. Frankly, this is terrifying, considering how effective MFA is. According to Microsoft, enabling MFA can block 99.9% of attacks on your accounts.
The Complexity Of Cybersecurity Regulations
Do not underestimate just how complex cybersecurity is. Cyber threats constantly change, and no one-size-fits-all solution will protect against every possible attack. There is no such thing as perfect security. Businesses operate in various industries with different levels of exposure and risk. For example, a local bakery with an online ordering system has cybersecurity needs that are different from those of a financial institution with sensitive personal data.
While more advanced cybersecurity practices may vary by industry, certain foundational protections—such as strong passwords with MFA—should be required universally. Passwords, while imperfect, are the first line of defense against unauthorized access. Poor password hygiene, ubiquitous among most people, such as using weak or reused passwords, is responsible for 81% of hacking-related data breaches.
Multifactor authentication enhances security by requiring users to present two or more verification factors. These factors typically encompass something the user knows (such as a password), something they possess (like a smartphone) or something inherent to them (like a fingerprint). Implementing MFA allows businesses to significantly reduce the risk of unauthorized access for themselves, their users and their customers, even if passwords are stolen.
The Benefits Of Federal Cybersecurity Regulations
Protecting Consumers And Businesses
Enabling MFA would help protect both consumers and businesses from the financial and emotional toll of hacking. Companies implementing passwords with MFA reduce the risk of hacking. This means greater peace of mind for consumers when engaging with businesses and fewer costly breaches and lawsuits.
The Ponemon Institute and IBM reported that the average cost of a data breach in 2024 is $4.88 million per incident. Enabling MFA would dramatically reduce these incidents.
Leveling The Playing Field
Federal regulations would ensure that all businesses adopt essential security measures. This would level the playing field by ensuring that all companies, regardless of size, protect their customers. It would also reduce the incentive for hackers to target small, unprotected businesses as an entry point to larger companies.
Encouraging Innovation
Setting minimum security standards would also spur innovation in cybersecurity. When businesses are required to meet security benchmarks, they are more likely to invest in cybersecurity R&D, which could lead to better technologies that protect against emerging threats.
Global Competitiveness
With the rise in international cybercrime, U.S. businesses must be prepared to compete in a global economy that increasingly values data privacy and security. The European Union’s General Data Protection Regulation (GDPR) has already set a high standard for data protection. If the U.S. doesn’t implement similar federal regulations, American companies may fall behind in global markets that prioritize cybersecurity.
Enhancing Security With MFA: Your Digital Seatbelt
Using MFA is like wearing a seatbelt—it adds an extra layer of protection. Just as a seatbelt can save you in an accident, MFA safeguards your account even if your password is stolen.
Both also benefit everyone else. Seatbelts reduce the strain on families and emergency services, and MFA helps prevent hacking, protecting not only you but also co-workers, clients and families.
Best of all, enabling MFA is usually free for both individuals and businesses.
Building A More Secure Digital Future
We can no longer afford to leave cybersecurity to chance. Specific baseline measures—like strong passwords with MFA—should be required of all companies. Federal regulations mandating these protections would create a safer online environment, protecting both consumers and businesses from the devastating effects of cyberattacks.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?