During Braintree’s Modern Work, Let’s Connect webinar we explored why cybersecurity threats are no longer a distant concern, they are a daily reality for businesses of all sizes.
This article highlights why MFA is the first and most critical step in your security journey, supported by real-world examples shared by industry experts Doug Morrison and Chris Badenhorst.
What Is MFA and Why Does It Matter?
Multi-Factor Authentication adds an extra layer of security beyond your username and password. It requires users to verify their identity using a second factor, such as a text message, authentication app, or biometric verification, before granting access.
Why is this so important?
Because passwords alone are no longer enough. Hackers use phishing, brute-force attacks, and credential stuffing to gain access to accounts. Once inside, they move laterally, into devices, applications, and ultimately your data. MFA makes that first hurdle significantly harder to overcome.
The Alarming Reality: Real-World Breaches.
Chris Badenhorst shared a sobering statistic and insights:
“In the past month alone, 13 Microsoft 365 environments were compromised, and 85% of those breaches occurred because Multi-Factor Authentication (MFA) was not enabled on admin accounts. These are not isolated incidents; they represent a growing trend that every organisation must address immediately.”
The consequences were severe:
- Deletion of executive mailboxes and OneDrive data.
- Loss of financial and SharePoint data.
- A $25,000 Azure bill in just one week due to unauthorised resource spin-ups.
One case stood out:
Hackers scanned a company’s website, found email addresses, and launched a brute-force attack. Two accounts resisted, but the third, an administrator account without MFA—was compromised. The result? Significant data loss. The only saving grace was that the company had backups.
Why MFA Is Step One in Zero Trust Security.
Microsoft’s Zero Trust model emphasises “never trust, always verify.” MFA is the foundation of this approach. Doug Morrison put it bluntly:
“If you’re accessing any company information, whether you’re the MD or the person making the tea, you must enable MFA.”
This isn’t optional. It’s the baseline for protecting:
- Identities (user accounts and admin credentials).
- Devices (company and personal).
Common Excuses—and Why They Don’t Hold Up.
Some businesses hesitate to implement MFA because they fear it will inconvenience users. The reality…
- Setup is simple: Choose SMS, app-based codes, or biometrics.
- Impact is minimal: After initial setup, MFA prompts occur only during password changes or suspicious logins.
- Cost is zero: MFA is included in Microsoft 365 and most major platforms.
As Doug said: “It’s free. It’s inherent in the product. You don’t have to do anything extra.”
Beyond MFA - Strengthening Your Security Posture.
While MFA is critical, it’s not a silver bullet. Here are additional steps recommended by the experts:
- Block Legacy Authentication – Older protocols like POP and IMAP bypass MFA. Disable them to close this loophole.
- Limit Admin Privileges – Reduce the number of admin accounts and implement break-glass accounts for emergencies.
- Enable Conditional Access – Add rules that restrict logins by location or device. For example, only allow logins from South Africa or the UK. This prevents unauthorised access from high-risk regions.
- Protect Devices and Data – Use Microsoft Intune to manage and secure devices, including BYOD. Apply sensitivity labels and Data Loss Prevention (DLP) policies to safeguard confidential information.
- Backup Your Data – Microsoft stores your data but does not back it up. Implement immutable backups outside the Microsoft 365 environment.
Advanced Protection: Managed Security Operations.
Even with MFA and best practices, threats evolve. That’s why many businesses are turning to Managed Security Operations Centres (SOCs) like Arctic Wolf. These services provide:
- 24/7 monitoring across global time zones.
- Immediate containment of threats.
- Simulation training to educate employees on phishing and social engineering.
Doug highlighted a shocking statistic: “70% of new customer environments have latent threats in them.”
A SOC doesn’t replace your existing security, it adds extra “onion rings” of protection.
The Human Factor: Training and Awareness
Technology alone can’t stop attacks. People remain the weakest link. Phishing emails disguised as tax refunds or urgent invoices still trick employees into clicking malicious links.
Simulation training helps identify vulnerable users and reinforce best practices.
Your Call to Action.
If you take one thing from this article, let it be this:
Enable MFA for every user today!
Check your Microsoft Secure Score and aim for at least 95%. Review it weekly and act on recommendations.
Here’s your action checklist:
- Enable MFA for all users and admins.
- Block legacy authentication.
- Limit admin privileges and create break-glass accounts.
- Implement conditional access policies.
- Secure devices with Intune and protect data with DLP.
- Back up Microsoft 365 data externally.
- Consider a SOC for 24/7 monitoring and response.
- Train employees through phishing simulations.
Final Thought.
Cybersecurity is no longer about if you’ll be attacked, it’s about when. MFA is your first line of defence, and it costs nothing but a few minutes to set up. Don’t wait for a breach to make security a priority.
