MFA for small business (what to enforce)
MFA is the fastest way to reduce account takeover risk, but bad rollouts create lockouts and frustration. This guide shows what to enforce first and how to make it stick.
If you want help implementing an MFA baseline, start with MSP Cybersecurity or request a security audit. To quantify how outages and account issues impact operations, use the Downtime Cost Calculator.
We can quickly review your setup and show you what’s working and what needs improvement.
Use the IT Cost Savings Calculator to estimate annual waste from recurring support drag, outages, emergency work, and security cleanup before you decide what to prioritize.
MFA priorities (the “top 10 accounts” list)
If you do nothing else this month, enforce MFA on these accounts first:
- Global admins and any admin roles
- Email accounts (Microsoft 365 / Google Workspace)
- Password manager accounts
- Accounting + payments (bank, ACH/wire portals, accounting SaaS)
- Remote access tools (VPN, RMM, remote desktop)
- Domain registrar and DNS hosting
- Website hosting and forms systems
- Payroll and HR systems
- CRM + customer communications platforms
- Any vendor portal with admin-level access
Best MFA methods (and what to avoid)
Not all MFA methods are equal. In most small businesses, a practical order of preference is:
- Authenticator app (TOTP): solid baseline for most accounts
- Push MFA: convenient, but train users to deny unexpected prompts
- Hardware keys: best for admins and high-risk accounts
- SMS: better than nothing, but treat as a temporary step
For most teams, the biggest mistake is “MFA everywhere” without a recovery plan. That’s how lockouts happen.
Rollout plan for small teams
- Pick your MFA standard (authenticator app for most users; hardware keys for admins if possible).
- Start with admin roles and finance-related systems.
- Roll out email MFA next (it’s the most common compromise path).
- Set a clear deadline and provide a 15-minute setup session.
- Document the recovery process before you enforce.
Break-glass accounts and recovery rules
A “break-glass” account is an emergency admin account with strong controls. Small businesses should:
- Use a named, separate admin account for emergencies
- Store recovery info in a secure vault
- Limit who can access it and when
- Log and review every use
What to do if you’re already compromised
If you suspect a mailbox compromise or suspicious sign-ins, treat it as an incident. The fastest wins are: change passwords, revoke sessions, force MFA, and verify forwarding rules and inbox rules.
Local help (Clearwater)
If you need hands-on help implementing MFA and cleanup, see IT Support in Clearwater.
FAQ
Is SMS MFA good enough?
It’s better than no MFA, but it’s not the best option for high-risk accounts. Use an authenticator app (or hardware keys for admins) when possible.
Do we need MFA on every app?
Start with the top-risk accounts (email, admins, finance, remote access). Then expand to any system that can change payments, access, or sensitive customer data.
How do we handle shared accounts?
Avoid shared accounts when possible. Use shared mailboxes and role-based access. If a shared login is unavoidable, store it in a password manager and protect the vault with MFA.
Next step
Request a security audit
Explore MSP Cybersecurity
Browse Cybersecurity articles
Get the PDF instantly. Use it to tighten your baseline and reduce avoidable incidents.
Related posts
Keep reading with the most relevant next articles.
Why Your SPRS Score Should Match Your Real Cybersecurity Posture
A practical look at why SPRS-related cybersecurity claims should reflect the real environment, real evidence, and real NIST SP 800-171 posture behind them.
Why Small Manufacturers Should Get a CMMC Readiness Review Before a Contract Requires It
Why small manufacturers, machine shops, fabricators, and defense subcontractors benefit from a readiness review before contract language or customer pressure forces the issue.
The Risk of Claiming CMMC Compliance Before You Are Ready
A professional, plain-English look at the business and contract risk that can come from claiming CMMC compliance before the environment, documentation, and evidence are ready.
