MFA for small business (what to enforce)
MFA is the fastest way to reduce account takeover risk, but bad rollouts create lockouts and frustration. This guide shows what to enforce first and how to make it stick.
If you want help implementing an MFA baseline, start with MSP Cybersecurity or request a security audit. To quantify how outages and account issues impact operations, use the Downtime Cost Calculator.
We can quickly review your setup and show you what’s working and what needs improvement.
Use the IT Cost Savings Calculator to estimate annual waste from recurring support drag, outages, emergency work, and security cleanup before you pitch the fix internally.
MFA priorities (the “top 10 accounts” list)
If you do nothing else this month, enforce MFA on these accounts first:
- Global admins and any admin roles
- Email accounts (Microsoft 365 / Google Workspace)
- Password manager accounts
- Accounting + payments (bank, ACH/wire portals, accounting SaaS)
- Remote access tools (VPN, RMM, remote desktop)
- Domain registrar and DNS hosting
- Website hosting and forms systems
- Payroll and HR systems
- CRM + customer communications platforms
- Any vendor portal with admin-level access
Best MFA methods (and what to avoid)
Not all MFA methods are equal. In most small businesses, a practical order of preference is:
- Authenticator app (TOTP): solid baseline for most accounts
- Push MFA: convenient, but train users to deny unexpected prompts
- Hardware keys: best for admins and high-risk accounts
- SMS: better than nothing, but treat as a temporary step
For most teams, the biggest mistake is “MFA everywhere” without a recovery plan. That’s how lockouts happen.
Rollout plan for small teams
- Pick your MFA standard (authenticator app for most users; hardware keys for admins if possible).
- Start with admin roles and finance-related systems.
- Roll out email MFA next (it’s the most common compromise path).
- Set a clear deadline and provide a 15-minute setup session.
- Document the recovery process before you enforce.
Break-glass accounts and recovery rules
A “break-glass” account is an emergency admin account with strong controls. Small businesses should:
- Use a named, separate admin account for emergencies
- Store recovery info in a secure vault
- Limit who can access it and when
- Log and review every use
What to do if you’re already compromised
If you suspect a mailbox compromise or suspicious sign-ins, treat it as an incident. The fastest wins are: change passwords, revoke sessions, force MFA, and verify forwarding rules and inbox rules.
Local help (Clearwater)
If you need hands-on help implementing MFA and cleanup, see IT Support in Clearwater.
FAQ
Is SMS MFA good enough?
It’s better than no MFA, but it’s not the best option for high-risk accounts. Use an authenticator app (or hardware keys for admins) when possible.
Do we need MFA on every app?
Start with the top-risk accounts (email, admins, finance, remote access). Then expand to any system that can change payments, access, or sensitive customer data.
How do we handle shared accounts?
Avoid shared accounts when possible. Use shared mailboxes and role-based access. If a shared login is unavoidable, store it in a password manager and protect the vault with MFA.
Next step
Request a security audit
Explore MSP Cybersecurity
Browse Cybersecurity articles
Get the PDF instantly. Use it to tighten your baseline and reduce avoidable incidents.
Related posts
Keep reading with the most relevant next articles.
Cybersecurity Risk Assessment for Non-Technical Owners (Plain-English Framework)
A simple risk assessment framework: assets, threats, controls, and priorities—so owners can fund the right security improvements.
Backup and Recovery Plan for Small Business (Simple, Testable)
Backups that actually work: what to include, how often to run, how to test restores, and how to recover from ransomware quickly.
Endpoint Protection for Small Business (Practical Checklist)
Choose endpoint protection that reduces real risk: coverage, response, visibility, patching, and recovery—not just “next-gen” buzzwords.