1. Info-Tech Research Group1 1 Info-Tech Research Group, Inc. Is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. © 1997-2014 Info-Tech Research Group Inc. Use Multi-Factor Authentication to Save Costs and Secure Users There are no barriers to implementing MFA, no matter what your requirements are. Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997 - 2014 Info-Tech Research Group

2. Info-Tech Research Group2 2 This Research is Designed For:This Research Will Help You: This Research Will Assist:This Research Will Help You: This Research is Designed For:This Research Will Help You: This Research Will Assist:This Research Will Help You: Our Understanding of the Problem An information security officer who is dealing with the following: Compromised tools/stolen passwords. o E.g. Through phishing and/or employee negligence. Regulatory requirements for secure employee access to internal systems, e.g. remote access to PCI data. Identify your business need for MFA. Establish which MFA solutions are best for your organization’s needs. Develop a project charter and strategy to present your business case/project plan to stakeholders. An operations manager who is dealing with the following: Users with password fatigue (e.g. dealing with multiple different passwords for different systems/identities which leads to substandard practices, such as use of weak passwords). A higher than optimal number of calls to the help desk for password resets resulting in increased costs. Determine cost savings as a result of MFA implementation. Effectively communicate and train end users to ensure a successful implementation.

3. Info-Tech Research Group3 3 PostNord needs to protect the identity of approximately 8000 users in Scandinavia. Postal Service need for MFA represents organizations’ need to combine increased security and affordability Background: PostNord is the parent company of the group formed by the merger of Post Danmark A/S and Posten AB. Business Drivers: It is a large business, has a large IT infrastructure, and wants to maintain competitive advantage while also remaining secure. Problem: It serves customers all over the world, and its employees are logging in from multiple sites — at home and on the road. o This creates many potentially vulnerable access points, and the company is naturally concerned about ensuring secure authentication while also allowing users to authenticate smoothly from various locations. Opportunities: PostNord would like to find a solution that is secure and allows their users to log in while traveling, from home, etc. It would like to find a solution that is affordable for a significant amount of users. *Information reprinted with permission from SMS Passcode.

4. Info-Tech Research Group4 4 A large educational institute with 15,000 employees achieved an ROI of $149,586.11 by implementing an MFA solution. The total cost savings was $298,586.11, which came from two factors: Security Incident Reduction ($270,600.00) Help Desk Ticket Reduction ($27,986.11) The investment in MFA was $149,000.00, which came from two aspects as well: Technology ($80,000.00) Maintenance ($69,000.00) Multi-factor authentication is not only necessary to achieving increased security, it also saves you money Is one-factor enough for authentication in today’s landscape? No. In 2012, password theft increased by 300%.password theft The Online Trust Alliance (OTA) reported that in the first half of 2013, 500 data breaches occurred, and 89% were avoidable. From 2013’s incidents: o 31% were from insider threats or mistakes. o 21% were from loss of computers, etc. o 29% came from social engineering. o 76% were from weak or stolen account logins and passwords. Source: 2014 Data Protection & Breach Readiness Guide2014 Data Protection & Breach Readiness Guide Stronger authentication methods are a solution to these avoidable breaches. MFA means more user securityMFA means fewer wasted funds

5. Info-Tech Research Group5 5 Info-Tech Insight Resolution Situation ! Complication ? 1.MFA can apply to all organizations. There is no barrier to MFA — large and small organizations can find affordable solutions that are secure and easy-to-use. 2.It’s costing your organization more not to implement MFA. Think about how many password reset help desk tickets come in a day. This is an easy place to cut costs. 3.MFA doesn’t have to be a pain. You have choices. The selections on the market can satisfy your security needs and the needs of your users. Executive Summary Passwords as the sole authenticator introduce risk to an organization. o They’re not enough on their own. o They’re too easy to crack, sniff, and elicit. Passwords are subject to credential theft, and they create additional service desk work in managing forgotten passwords. Implementing more secure options through MFA can seem like a barrier to organizations, e.g. it can seem too expensive, end-users will despise having additional authenticators, etc. There is currently a lot of choice on the market and knowing the most effective solution for your organization’s specific use cases can seem overwhelming. Understand how MFA can save your organization money by streamlining authentication and reducing the amount of help desk tickets related to password resets. Choose a solution that works with your users instead of against them when you can. Select an MFA solution that uses devices that users are already familiar with, such as SMS texts to their mobile phones. Acknowledge that this process may take time — this is not rip and replace. You will need to get sign-off on the project, determine your requirements, choose the best option(s), and communicate your plan effectively to ensure a successful roll- out of MFA.

6. Info-Tech Research Group6 6 The value of MFA can be found beyond security Increased security against risks Increased operational efficiency Fewer password-related help desk tickets Minimized number of potential breaches through user credentials This blueprint applies to you whether you care about your overall operations or your security posture. Impact Value of implementing MFA Short term: Learning new processes can take a little time, but end users will adapt to the changes with the right solutions, and authentication will be streamlined. Long term: Efficiency will be more apparent with fewer help desk tickets, which subsequently means less end-user time wasted waiting for password resets, etc. You’ll also experience increased security overall in the long term thanks to the added authentication component. Impact Value of Info-Tech’s MFA blueprint Comprehensive project plan Selection process to simplify choosing the best MFA option for your organization Strategy around effective communication with stakeholders and end users Timeline to successfully roll out the project SMS Passcode 1 conducted a survey out of 274 clients and found the following results: 24% of clients saved over 50% and saw a reduction in costs by implementing MFA. Info-Tech Insight

7. Info-Tech Research Group7 7 Your requirements for MFA may differ, but the general drive is more security. MFA implementations can apply to every size of organization MFA is particularly applicable for the following industries: o Finance o Insurance o Health care o Public administration o Education services o Professional services o Scientific and technical services If your organization has any compliance requirements, specifically PCI-DSS, MFA is mandatory in order to achieve compliance. Examples from PCI-DSS v3.0:PCI-DSS v3.0 o “8.3 Incorporate two-factor authentication for remote network access…” o “Two-factor authentication from within the internal network can also be considered as a compensating control for non-console administrative access…” Small businesses are also candidates for MFA, regardless of their size and potential lack of compliance requirements. Small businesses often do not have robust security resources and therefore have more vulnerable access points. Small businesses may also partner with larger organizations in some capacity, and due to their weaker security posture, offer an easy channel for attackers to get to their main target. Trend MicroTrend Micro cited one of the top reasons that small businesses lose important data is failure to change passwords or use strong passwords — these are areas in which strong and multi-factor authentication can remediate. Info-Tech Insight

8. Info-Tech Research Group8 8 Section 0: Understand the Project Understand high level project rationale and goals. Section 1: Make the Case for MFA and Analyze Requirements Establish your business case for implementing MFA through determining your organization’s requirements and identifying cost savings with the MFA ROI Calculator. Section 2: Identify best fit MFA solutions Identify current and target states, perform a gap analysis, and explore MFA solution options that meet your requirements. Section 3: Implement MFA Collect cost savings information and gap analysis information into one central document (Project Charter) to bring to stakeholders. Review MFA Policy if applicable. Prepare to communicate strategically to stakeholders and end users. Info-Tech is ready to assist. Book a free guided implementation today! Book a Guided Implementation Today: Info-Tech is just a phone call away and can assist you with your project. Our expert Analysts can guide you to successful project completion. For most members, this service is available at no additional cost.* Here are the suggested Guided Implementation points in the MFA Implementation project: * Guided Implementations are included in most advisory membership seats.

9. Info-Tech Research Group9 9 During the Guided Implementation An Info-Tech Consulting Analyst will discuss with you: At the conclusion of the Guided Implementation call, you will have: Arrange a call now: Prior to the Guided Implementation Value & Outcome Ask an Info-Tech advisor to review your work and guide you at each milestone Review the deck at a high level. Have a rough idea of what you and your team wish to achieve with the Blueprint. What the direction of the Blueprint is in terms of subject matter. Whether it is an appropriate fit for your organization. What is included with the Blueprint (overall templates, etc.). A plan to start your MFA implementation project successfully. Another Guided Implementation (GI) call booked. A decision made on whether this project is the right fit for your organization’s needs, and whether you will move forward with GIs. Email GuidedImplementations@InfoTech.com or call 1-888-670-8889 and ask for the Guided Implementation Coordinator to book a Guided Implementation in your organization.GuidedImplementations@InfoTech.com

10. Info-Tech Research Group10Info-Tech Research Group10 Track your savings and increased security with metrics To understand the benefits of implementing multi-factor authentication and produce some hard numbers to bring to the business, prepare to record the following metrics: o Cut down on the number of incidents related to passwords through an additional layer of security with more authentication. o Cut help desk costs through better streamlined authentication, self-service options, etc. When you see this measuring tape throughout the blueprint, it is an indicator of where your metrics can become involved to benefit you. Support LevelCost per incident Vendor$471 Field Support (multi-site)$196 Level 3 IT (apps, networking, NOC, etc.)$85 Level 2: Desktop support$62 Level 1: Service desk$22 Average cost of help desk tickets Source: MetricNet Use the following formula to determine how much you could be saving: Volume of login tickets + Volume of password reset tickets x Cost per ticket = Your current spend on password-related issues/ What you could be saving

11. Info-Tech Research Group11Info-Tech Research Group11 Identify your baseline metrics Before beginning the blueprint, record your baseline metrics in the MFA Project Charter as this allows you to know what you’re starting with.MFA Project Charter The Project Charter will be your central document where most of your work will be recorded. Document the following for your baseline metrics: o Current volume of password related tickets (in the past year) o Current number of incidents related to password/credential breaches (in the past year) You will complete the metrics as you work through the blueprint and MFA ROI Calculator.MFA ROI Calculator Baseline metrics should be recorded within Section 5.1 of the MFA Project Charter.

12. Info-Tech Research Group12Info-Tech Research Group12 Info-Tech Research Group Helps IT Professionals To: Sign up for free trial membership to get practical solutions for your IT challenges www.infotech.com Quickly get up to speed with new technologies Make the right technology purchasing decisions – fast Deliver critical IT projects, on time and within budget Manage business expectations Justify IT spending and prove the value of IT Train IT staff and effectively manage an IT department “Info-Tech helps me to be proactive instead of reactive – a cardinal rule in a stable and leading edge IT environment. - ARCS Commercial Mortgage Co., LP Toll Free: 1-888-670-8889