If your business doesn't have MFA enforced across every account, you are one compromised password away from a very bad week. Here's what the baseline actually looks like.
Over 80% of successful cyberattacks involve compromised credentials. Passwords get phished. Passwords get reused. Passwords get sold on forums for $4 a pop.
Multi-factor authentication doesn't prevent every attack. It eliminates the vast majority of credential-based attacks with minimal user friction when deployed correctly.
And yet, we walk into SMB environments every week where MFA isn't enforced — or worse, is turned on but not required.
There's a meaningful difference between "MFA is available" and "MFA is enforced."
Available means users can opt in. Most won't.
Enforced means users cannot access systems without completing MFA. No exceptions. No bypass for the CEO because it's inconvenient. No grace period that never ends.
Enforced is the only version that matters.
This is the floor. Not the ceiling. The floor.
If you can check every box on that list, you're in better shape than most SMBs we encounter. If you can't, the gaps are priorities — not nice-to-haves.
"Our employees will complain." They will. For about a week. Then it becomes normal. The complaints from a breach are considerably worse.
"We're too small to be a target." You're not a target because of your size. You're a target because of your vulnerability. Small businesses are frequently easier to breach than enterprises — that's the actual targeting logic.
"We have antivirus." Antivirus is one layer. It doesn't stop a user from entering their credentials into a convincing phishing page.
The baseline exists for a reason. Start there.
