A password on its own is not enough to protect a business account anymore. It does not matter how long or complicated your password is. If someone gets hold of it – through a phishing email, a data breach on another site, or by guessing it – they have full access to your email, your files, and everything connected to that account.
Multi-factor authentication (MFA) adds a second check. After entering your password, you confirm it is actually you by approving a notification on your phone, entering a code from an app, or using a fingerprint. Without that second step, a stolen password is useless.
This is not new technology. You already use it every time your bank sends you an OTP. MFA is the same idea applied to your business accounts.
Why MFA matters more than any other security measure
According to Microsoft, enabling MFA blocks over 99% of account compromise attacks. That is not a marketing claim. It is based on data from billions of login attempts across their platform.
The reason is straightforward. Most attacks against business accounts are not sophisticated hacking operations. They are bulk credential attacks – automated tools that try stolen passwords from data breaches across thousands of accounts simultaneously. If your password for LinkedIn was leaked (and data breaches happen constantly), and you use the same password for your business email, your account is vulnerable.
MFA breaks this because even if an attacker has your password, they do not have your phone. The second factor stops them.
We see the consequences of not having MFA in our support work. A compromised business email account is not just an inconvenience. It means:
- Someone can read every email in your inbox, including client communications and financial information
- They can send emails as you, including fake invoices to your clients
- They can reset passwords for other services connected to that email
- They can access shared files, OneDrive, SharePoint, and Teams
- Under POPIA, if personal data is exposed, you may need to notify the Information Regulator
All of this from a single compromised password. MFA prevents it.
The most common objections (and why they do not hold up)
We hear these regularly from businesses that have not enabled MFA yet.
“It is annoying and slows people down.” Modern MFA is not the clunky SMS code system it used to be. With the Microsoft Authenticator app, you tap “Approve” on a notification. It takes two seconds. Most people do it without thinking after the first week. You can also configure it so trusted devices do not prompt every single time.
“My team will not be able to handle it.” If your team can unlock a phone with a fingerprint or enter a banking OTP, they can handle MFA. The setup takes five minutes per person. The daily experience adds a few seconds to signing in.
“We are too small to be a target.” Small businesses are targeted specifically because they tend to have weaker security. Automated attacks do not know or care how big your company is. They try every email address they find in a data breach. Being small does not make you invisible – it makes you easier.
“We already have good passwords.” Good passwords help, but they are not enough on their own. Passwords get leaked in data breaches at other companies. They get captured by phishing emails. They get guessed by software that can try millions of combinations. MFA is the safety net for when passwords fail, and passwords will eventually fail.
How to enable MFA on Microsoft 365
Most Cape Town businesses we work with use Microsoft 365. Here is how to turn on MFA.
If you are the Microsoft 365 admin:
- Sign in to the Microsoft 365 admin centre (admin.microsoft.com)
- Go to Users, then Active users
- Select Multi-factor authentication (in the toolbar or under “More”)
- Select the users you want to enable MFA for (start with admin accounts, then expand to everyone)
- Click Enable
Each user will be prompted to set up their second factor the next time they sign in. They will need the Microsoft Authenticator app on their phone (free on iOS and Android).
If you are not sure who your admin is: This is more common than you might expect. If your business set up Microsoft 365 a while ago and nobody remembers the admin credentials, you have a problem that goes beyond MFA. Your IT provider should be able to help recover admin access, but it highlights why having managed IT matters – you should always know who controls your business accounts.
What to enable MFA on first (priority order):
- Admin accounts – these have the highest access level and are the most valuable target
- Email accounts for anyone who handles finances – accounts payable, directors, bookkeepers
- All remaining staff accounts
- Any service accounts or shared mailboxes that support sign-in
Do not leave admin accounts for last. If an attacker compromises an admin account, they can disable MFA for everyone else.
Beyond the basics: MFA done properly
Turning MFA on is the critical first step. But there are a few things that separate a quick setup from a properly managed one.
Use the Authenticator app, not SMS SMS codes are better than nothing, but they can be intercepted through SIM swapping, which is a real problem in South Africa. The Authenticator app generates codes on your device and does not rely on your mobile network. Push notifications from the app are the most convenient option – one tap to approve.
Set up backup methods What happens when someone loses their phone, gets a new phone, or their battery is dead? If MFA is the only way in and there is no backup, that person is locked out of their account. Set up a secondary method (a phone number as backup, or security keys for critical accounts) and make sure there is a recovery process documented.
Do not exempt anyone The director who says “I do not want to deal with this” is usually the person with the most access to sensitive information. MFA needs to cover everyone, especially senior staff and anyone with admin access.
Review regularly People leave the business. Devices get replaced. Phone numbers change. Someone needs to check periodically that MFA is still active on every account and that the registered devices are current. This is part of what managed IT support includes – we check this as part of routine account maintenance.
What MFA does not protect against
MFA is powerful, but it is not a complete security solution on its own. It is important to be honest about what it does and does not cover.
MFA does not protect against:
- Malware already on your device (if your computer is compromised, the attacker can piggyback on your authenticated session)
- Phishing attacks that trick you into entering your credentials AND your MFA code on a fake site in real time (these exist, though they are much harder to execute at scale)
- Insider threats (someone with legitimate access misusing it)
- Weak security on other systems that do not use MFA
MFA is one layer in a security approach that should also include endpoint protection, email filtering, and monitoring. It is the most impactful single thing you can enable, but it works best alongside other measures.
Not sure where your business security stands?
If you are not certain whether MFA is enabled across your accounts, or if your Microsoft 365 setup has gaps you have not spotted, we can check. A quick review of your security settings takes minutes and often reveals things that need attention.
Talk to us about your security setup
Or get in touch directly:
Call: 087 820 5005 WhatsApp: 081 526 1626
Already managing your own MFA? Make sure your email domain is protected too. Check your email authentication with BEACON – from R150 per month.
0 Comments