Small and midsize businesses (SMBs) are concerned about data breaches (58%) and supply chain attacks (36%), according to ISOutsource’s latest 2025 IT Trends Report. Yet only 37% of SMBs have implemented multifactor authentication (MFA) across their systems.
Considering that our IT Trends Report also revealed that 48% of SMBs experienced a security threat in the past year, SMBs are overlooking a highly effective form of protection.
Why? And how can your company get set up correctly with this vital protection?
SMBs Need to Catch Up With Basic Protections
Only 21% of SMBs have a formal incident response plan, which makes password-based attacks even more dangerous. Implementing an incident response plan is a crucial and basic part of good cybersecurity. If you’ve already addressed this, MFA is a great next step.
MFA is one of the simplest and most effective ways to prevent cyber threats like phishing and credential theft. More good reasons to consider it:
- CISA.gov recommends MFA.
- Research has found that MFA can block over 99.9 percent of account compromise attacks.
- There are ways to circumvent even complex passwords, such as brute-force attacks, dictionary attacks, credential stuffing, and more.
MFA adds an extra layer of protection on top of passwords by requiring users to verify their identities after entering their credentials to gain access to company systems. Options for this extra verification include:
- Using biometrics, like a user’s face or fingerprint (for example, with Windows Hello).
- Retrieving codes from system-generated SMS or email messages.
- Inserting a card into a reader attached to the user’s computer.
Even with these choices, many SMBs aren’t using MFA, or they have implemented it in a way that doesn’t fully protect them.
MFA Implementation Challenges
What gets in the way? These are common roadblocks.
User inconvenience. Some businesses avoid enforcing MFA due to concerns about employee frustration or workflow disruption. After educating yourself and your employees on the value of MFA, there are ways to make it more convenient. You can configure systems to remember users’ first authentications and keep them signed in. Or you can configure certain locations, like your offices, to not require MFA.
A bigger issue is lack of enforcement and employee compliance. Without conditional access policies that require all employees to use MFA, people can opt out. It’s important to let your employees know that enabling MFA on work accounts doesn’t give you direct access to their personal cell phones and/or mobile devices. MFA is simply a mechanism for authenticating their access to IT systems.
Technical gaps. SMBs without dedicated IT staff may struggle to properly configure MFA across cloud, SaaS, and legacy systems. Depending on how MFA policies are configured, shared accounts can create security gaps, or some systems might be excluded.
Top MFA Configuration Pitfalls to Avoid
Chris Preti, Principal Consultant at ISOutsource, emphasizes that it’s important to use conditional access to enforce MFA. Instead of setting up MFA for each individual user, implement a conditional access policy for more granular control. You can set specific rules and conditions to determine when MFA is required and choose who needs to use it based on factors like location, device, or application access. By setting conditional access policies across your systems, you ensure that users must use MFA in certain situations.
“Conditional access is more customizable than per-user MFA. You can base your MFA policies on user attributes, geographical location, device status, and so on,” says Preti. “Per-user MFA is harder to manage, as it must be applied for each individual user instead of globally.”
Even when MFA is set up correctly, SMBs should use the option to configure alerts and auto remediations for risky sign-in behaviors. It’s possible to implement a risk-based conditional access policy to send an alert or require additional verification (or even block access) under suspicious conditions. “I’ve seen auto remediation policies trigger alerts that notified companies of a compromised account. Without that policy, a sophisticated cyberattack could have led to a data breach,” says Preti.
It’s also important to implement the right type of MFA. Authenticating a user by email or text is not as secure; attackers can steal MFA tokens or spoof cell phone networks. Using one-time passwords, push notifications, or smart cards in conjunction with an MFA application are better options.
Get the Most Out of MFA
After covering the basics, there is another step SMBs can take, by using company issued devices and a mobile device management (MDM) solution. “If you want the most secure setup, require employees to use company-issued, company-managed devices with conditional access and MFA,” concludes Preti. “That way, you can control what’s installed on devices and whether employees have current apps and updates. And MDM policies can solve problems like token theft. If an attacker steals a token but you don’t allow devices that aren’t enrolled in MDM into your systems, their computer is already excluded.”
Contact ISOutsource today for more information on supporting your cybersecurity with MFA and disaster recovery plans.