MFA everywhere: the single highest-leverage control
Most small-business breaches start with one stolen password. Multi-factor authentication is the cheapest, highest-impact fix you can make — if you put it in the right places and do it right.
If you only fix one thing this quarter, fix this. The most common root cause of a small-business breach is a single password — reused across sites, phished, or simply guessed — protecting an account with nothing behind it. Multi-factor authentication (MFA) adds a second proof of identity, so a stolen password alone isn't enough to get in.
Why a password isn't enough anymore
Passwords leak constantly. Infostealer malware scrapes saved logins off infected machines, phishing pages capture them in real time, and old breaches dump billions of username/password pairs that attackers replay against every service they can find. Because people reuse passwords, one leak from a hobby site can open your business email. MFA breaks that chain: even with the right password, the attacker can't produce your second factor.
Enabling MFA on your email and admin accounts blocks the overwhelming majority of automated account-takeover attempts. Few controls give you that much protection for that little effort.
Where to put it first
You don't have to do everything at once. Protect the accounts that cause the most damage if taken over, in roughly this order:
- Email — it's the master key. Whoever controls your inbox can reset every other password.
- Administrator accounts — Microsoft 365/Google Workspace admin, your IT or MSP's access, anything that can change settings for everyone.
- Remote access — VPN, remote desktop, and any tool that reaches inside your network from outside.
- Finance and banking — online banking, payroll, and payment systems.
- Everything else — your other SaaS apps, ideally via single sign-on so MFA is enforced once.
Not all MFA is equal
Avoid SMS where it matters most
Text-message codes are better than nothing, but they can be intercepted or stolen through SIM-swapping. For your most sensitive accounts, prefer an authenticator app or, best of all, a phishing-resistant method.
Phishing-resistant is the gold standard
Passkeys and hardware security keys (FIDO2) can't be handed to a fake login page, because they're tied to the real website. For admins and high-value accounts, they're worth the small extra effort.
Beware MFA fatigue
Attackers with a valid password will spam approval prompts hoping someone taps "approve" to make it stop. Use number-matching prompts, and train staff that an unexpected prompt means "deny and report," not "approve."
Turn on MFA for email, admin, remote access, and finance first — using an authenticator app or hardware key, not SMS, for the accounts that matter. It's the highest return on security effort available to a small business.
Make sure one stolen password isn't enough
Securidigm assesses where MFA and access controls are missing across your business and hands your IT team or MSP a prioritized plan to fix them.
Request a confidential conversation →Securidigm provides advisory cybersecurity services and prepares draft documents. It does not provide an audit, a certification, or legal advice. This article is general information, not advice for your situation, and no outcome is guaranteed.