Part of the 30-Day SME Cyber Security Series
If passwords are the front door to your business…

👉 **Multi-Factor Authentication (MFA) is the deadbolt.**

Without it, a single stolen password is all it takes for an attacker to:

* Access your email
* Send fraudulent invoices
* Reset other systems
* Lock you out of your own business

With MFA enabled?

👉 That same attack **fails immediately**.

—

## What is MFA (Plain English)

MFA means:

> Even if someone knows your password, they **still can’t log in** without a second proof of identity.

That second factor is usually:

* A code on your phone
* An app approval
* A biometric (fingerprint / face)

—

## Why This Matters (Real Risk)

Most cyber incidents in SMEs happen because:

* Passwords are reused
* Passwords are guessed or stolen
* No second layer exists

👉 MFA alone can stop **the majority of these attacks**

—

## Where You MUST Enable MFA (Start Here)

Don’t overcomplicate this.

Focus on the systems that matter most:

—

### 📧 1. Email (CRITICAL — Do This First)

If your email is compromised, everything else follows.

**Platforms:**

* Microsoft 365 (Outlook)
* Google Workspace (Gmail)

—

### 💰 2. Accounting & Finance Systems

**Platforms:**

* MYOB
* Xero
* Online banking

—

### ☁️ 3. Cloud Storage & Business Tools

* Dropbox
* OneDrive
* SharePoint

—

### 🔐 4. Admin Accounts

Any account that:

* Controls users
* Has elevated permissions

—

## Step-by-Step Setup (Simple and Practical)

—

## 🔹 Microsoft 365 (Outlook, Teams, OneDrive)

1. Go to: **Microsoft 365 Admin Centre**
2. Navigate to: **Users → Active Users**
3. Select a user
4. Click: **Manage multi-factor authentication**
5. Enable MFA
6. User logs in → prompted to set up MFA

👉 Recommended method:

* **Microsoft Authenticator app**

—

## 🔹 Google Workspace (Gmail, Drive)

1. Go to: **admin.google.com**
2. Security → **2-Step Verification**
3. Turn ON for users
4. Enforce policy (don’t leave it optional)

👉 Recommended method:

* **Google Authenticator** or Google Prompt

—

## 🔹 MYOB

1. Log into MYOB
2. Go to: **Account Settings / Security**
3. Enable **Two-Factor Authentication**
4. Link to mobile device

—

## 🔹 Xero

1. Log into Xero
2. Go to: **Account → Security**
3. Enable **Two-Step Authentication**
4. Choose:

* Authenticator app (best)
* SMS (acceptable fallback)

—

## 🔹 Online Banking

Every bank is slightly different, but:

1. Log into your banking portal
2. Go to: **Security Settings**
3. Enable:

* MFA / 2FA / Secure Code

👉 Often already partially enabled — make sure it’s **fully enforced**

—

## 🔧 Which MFA Method Should You Use?

| Method | Good | Best |
| ——————————— | —- | —————- |
| SMS codes | ✔ | |
| Authenticator app | ✔✔ | ✔ |
| Push notification (approve login) | ✔✔ | ✔✔ |
| Hardware key | ✔✔✔ | (advanced users) |

👉 **Best balance for SMEs:**
Use an **Authenticator App**

—

## ⚠️ What Most Businesses Get Wrong

This is where things fall apart.

—

### ❌ 1. “We turned it on… but didn’t enforce it”

* Optional MFA = ineffective MFA
* Users will skip it

👉 **Fix:** Enforce it for ALL users

—

### ❌ 2. Only protecting admin accounts

Attackers don’t need admin access.

They:

* Compromise a normal user
* Send emails internally
* Request payments

👉 **Fix:** MFA for everyone

—

### ❌ 3. Using SMS only

SMS can be:

* Intercepted
* SIM-swapped

👉 **Fix:** Use authenticator apps where possible

—

### ❌ 4. No backup access method

If a user loses their phone:

* They get locked out
* Business disruption occurs

👉 **Fix:**

* Set backup methods
* Store recovery codes securely

—

### ❌ 5. Not training staff

Users:

* Don’t understand MFA prompts
* Approve malicious login attempts

👉 **Fix:**

* Train staff:

> “If you didn’t try to log in — DENY the request”

—

## 🧠 Simple Rule for Your Business

> If it has login access and matters to your business — it must have MFA.

No exceptions.

—

## What You Should Do This Week

### Day 1–2:

* Enable MFA on email (Microsoft / Google)

### Day 3:

* Enable on MYOB / Xero / banking

### Day 4:

* Enable on cloud storage

### Day 5:

* Enforce across all users

### Day 6–7:

* Train staff (10-minute session is enough)

—

## The Outcome

After just one week:

* Most common attacks → **blocked**
* Stolen passwords → **useless**
* Business risk → **dramatically reduced**

—

## Final Thought

Cybersecurity doesn’t start with complexity.

It starts with:

👉 **Making it harder to break in than the business next door**

MFA does exactly that.

—

**Next:**
👉 *Week 2: Stop Reusing Passwords — Simple Fixes That Actually Work*

**Need help rolling this out across your business?**
IQ People helps SMEs implement practical cybersecurity controls quickly — without disrupting operations.