Organizational Change Management during Large-Scale MFA Implementation
SITUATION & BUSINESS CHALLENGE
A major U.S. airline faced an urgent need to implement stronger security for its email and critical internal applications following a series of phishing and password attacks into corporate workers’ email accounts.
Airline leadership wasted no time in deciding to implement multi-factor authentication (MFA) for the majority of its corporate workforce. MFA creates a layered defense of two or more independent credentials: what you know (password), what you have (security token), and who you are (biometric verification). Implementing MFA would also address an emerging requirement from several business partners to use multiple credentials when accessing their resources.
The airline’s Information Technology Services (ITS) group was tasked to select the best MFA vendor solution for its large, dispersed organization and to ensure no more breaches occurred before its implementation. ITS turned to AIM Consulting to spearhead the project, based on a long history as a trusted consulting partner to the airline.
An AIM senior consultant, who specializes in infrastructure program leadership and organizational change management, quickly assessed the airline’s security technology infrastructure and derived a basic temporary solution to block the most common hacking attempts: requiring workers who called the service desk to change their passwords to answer a series of questions to verify identity. Emails were also sent out to educate the workforce on the dangers and consequences of phishing and password attacks.
Next, AIM worked in conjunction with stakeholders from ITS, engineering, communications and training teams to implement the required MFA solution. The solution approach included:
Vendor Selection — AIM created scoresheets comparing MFA solutions from several market leaders. AIM drove proof-of-concept demos from potential vendors and led internal teams to score each vendor across 10 areas including ease of implementation, patching and upgrading, and end-user experience. Executive leadership soon signed off on the highest-ranked solution.
Alpha Tests — Small production-environment rollouts involving nearly two dozen users from human resources, finance, e-commerce, and other internal groups were performed for initial testing and feedback.
First Beta — Around 60 more people from these groups provided additional feedback as they were enrolled. Simultaneously, AIM communicated the importance and timing of the MFA rollout to the rest of the workforce through email, SharePoint sites, the airline’s internal website, and printed posters.
Second Beta — Forty additional workers from IT and other groups were then enrolled to generate more specified feedback and further hone the documentation and training materials for the mass rollout.
End User Deployment — Around 5,000 employees, including executives, backoffice personnel, home reservations agents, and maintenance workers were enrolled into MFA in several phases. For the majority of end users who worked on the airline’s corporate campus, rollouts were performed building-by-building for purposes of visibility and enabling field services staff to be on location to support the rollouts.
AIM sent emails to every deployment group two weeks, one week, 48 hours, and 24 hours before their mandatory enrollment date, which included a meeting invite to ensure their participation. The communications included a reminder of the importance of MFA authentication, location of training documentation, and a link for registering a second-factor device. Each user registered a second device on the vendor’s website, and on the enrollment date the user was prompted to add the second factor. The vast majority of end-users enrolled with no difficulty.
AIM’s implementation of the interim password solution and MFA has resulted in zero breaches of email or other critical business assets. The vast majority of corporate office personnel are enrolled, and more diverse employee groups including pilots and flight attendants are next in line.
The smooth rollout was made possible with knowledgeable and effective organizational change management practices from AIM’s senior consultant. Senior managers and executives are elated with the project, and AIM continues to lead the rest of the MFA rollout.