If you could implement one security measure today that would block the vast majority of account takeover attacks, you’d do it. It takes about five minutes per account to set up, costs nothing for most business tools, and doesn’t require any technical expertise.
That measure is multi-factor authentication (MFA). And most small businesses still haven’t enabled it.
What Multi-Factor Authentication Is
When you log into an account, you currently prove your identity with one thing: your password. Multi-factor authentication adds a second layer — something you have (your phone, a hardware key) or something you are (a fingerprint, a face scan) — alongside something you know (your password).
The most common form for small businesses is an authentication app on your smartphone. When you log in with your password, the app generates a six-digit code that you also enter. The code changes every 30 seconds and is tied to your specific device.
The practical consequence: even if an attacker has your password, they cannot access your account without also having your phone.
Why This Matters So Much
Microsoft analysed billions of account compromise attacks across their services and found that MFA blocks 99.9% of automated account attacks. Not most. Not the majority. 99.9%.
This is because the overwhelming majority of account takeovers are opportunistic and automated. An attacker obtains a list of email addresses and leaked passwords (available cheaply on criminal marketplaces following any of the thousands of data breaches in recent years), then runs automated software against every account trying each combination. No human attention, no targeted effort — just automation at scale.
MFA stops these attacks entirely. The software has the password but can’t get past the second factor. The attacker moves on to an easier target.
What Accounts You Should Protect With MFA
Priority one is anything that gives access to financial systems, sensitive data, or other accounts:
- Email — particularly critical, because your email can be used to reset every other password
- Banking and financial platforms
- Accounting software (Xero, QuickBooks, Sage)
- Cloud storage (Google Drive, Dropbox, OneDrive)
- Business management software (CRM, ERP, any system with customer data)
- Social media and website administration accounts
- Domain registrar and hosting accounts
- VPN and remote access tools
If an attacker gains access to your email account, they effectively have a master key to your business. Reset password links for everything else go to your inbox.
The Cyber Insurance Factor
This is becoming increasingly relevant for small businesses: most cyber insurance policies now require MFA for coverage to apply.
If you suffer a breach-related loss and your accounts were not protected by MFA, your insurer may decline to pay out on the basis that you failed to implement a basic and widely available control. Check your policy.
Common Objections — and Why They Don’t Hold Up
“It’s inconvenient.” You’ll enter a six-digit code when logging in on a new device or after a period of inactivity. On accounts you use daily on the same device, most authentication apps allow you to trust that device, meaning you’re not entering a code constantly. The inconvenience is real but minimal. The protection is substantial.
“My staff won’t do it.” This is a management decision, not a technical one. If access to business systems requires MFA, staff comply. The alternative — a compromise that disrupts the whole business — is significantly more inconvenient.
“It won’t help if someone has physical access to my phone.” Correct. But the threat model for most small businesses is not someone physically possessing your device — it’s automated credential stuffing, phishing, and remote attacks. MFA addresses those comprehensively.
SMS vs Authenticator Apps
A note on method: some services offer MFA via SMS (a text message to your phone). This is significantly better than nothing, but less secure than an authenticator app, as SMS messages can be intercepted through a technique called SIM swapping. For email and financial accounts, use an authenticator app — Microsoft Authenticator and Google Authenticator are both free and straightforward.
Where W3IT Fits In
MFA configuration is part of the practical guidance W3IT provides to small businesses. We check which accounts are protected, which aren’t, and help you develop a clear policy for your team. We also ensure the right authentication methods are in place for the level of risk associated with each account.
It’s a small step that makes a significant difference. If you’re not sure which accounts currently have MFA enabled, that’s one of the first things our security review covers.