If you only do one security thing in 2026, do MFA properly. Not the SMS-codes version your bank still uses. The version that actually stops the credential-stuffing and AiTM phishing kits that are doing 80 percent of the damage to small businesses right now.
The good news is that for a 10 to 100 person company, decent MFA is mostly free, mostly already in your subscriptions, and can be rolled out in a couple of weeks if you do it deliberately. The annoying news is that the way most SMBs deploy it is just barely better than not having it.
Pick the right factor, not just any factor
There is a hierarchy here, and pretending there is not has cost a lot of companies a lot of money:
- Phishing-resistant (good): Passkeys, FIDO2 hardware keys (YubiKey 5 around $50, Google Titan, Feitian), or Windows Hello for Business with attestation. These cannot be relayed by a phishing proxy. Use them for admins, finance, and anyone with broad data access.
- Push with number matching (acceptable): Microsoft Authenticator and Duo both support this now. It defeats push fatigue, which was a real problem when Uber got popped.
- TOTP apps (okay): Authy, Google Authenticator, 1Password's built-in TOTP. Better than SMS by a wide margin.
- SMS codes (bad, but not zero): SIM swap is a real attack on anyone with a public LinkedIn. Use this only as a fallback, never as primary for admin accounts.
The mistake I see weekly is rolling out Microsoft Authenticator with simple push, declaring the project done, and then getting tokenized by an Evilginx-style phishing kit eight months later. Number matching or passkeys is the bar, not vanilla push.
Cover the boring accounts too
Your M365 tenant probably has MFA on user accounts. Does it have MFA on the break-glass admin? On the third-party app registrations with Mail.ReadWrite scopes? On the legacy POP/IMAP service account someone set up in 2019 for the scanner? Attackers love these. Audit your sign-in logs once a quarter for "Other clients" or basic auth and kill it.
Same goes for adjacent SaaS. QuickBooks Online, your CRM, the bank portal, the domain registrar, the DNS provider. The DNS provider especially. I have watched a 30-person company eat a week of email outage because their GoDaddy account had no MFA and someone changed the MX records to a phishing relay.
Plan for the lost-phone problem
The only thing more painful than no MFA is MFA that locks out half your staff on a Monday morning. Before rollout: register at least two factors per user (phone plus a hardware key, or two hardware keys for admins). Document the recovery flow. Test it on yourself before forcing it on anyone else.
Do not, under any circumstance, use email-based recovery as the only fallback. If the attacker has the email, they have the recovery, and you have built a circle.
Conditional Access does the heavy lifting
If you are on Microsoft 365 Business Premium, Entra Conditional Access is included and most people never turn it on. At minimum: require MFA for all users, block legacy authentication entirely, and require compliant or hybrid-joined devices for admin roles. Google Workspace customers get the equivalent through Context-Aware Access. These features are not extras. They are the reason you bought the SKU.
Roll it out in a way people will accept
Pilot with IT and leadership for two weeks. Fix the real friction (the conference room kiosk, the warehouse iPad). Then go company-wide with one all-hands and a deadline. Do not let people opt out. Soft launches with optional enrollment have a 100 percent failure rate in my experience, because the people who most need MFA are the ones who will most loudly opt out.
If you would rather not babysit the rollout yourself, Syncritech runs MFA deployments for SMBs as a fixed-scope project rather than an open-ended retainer.
