Multi-factor authentication (MFA) is the single highest-leverage security control for small and mid-sized businesses. One control prevents the largest category of breaches: compromised passwords. Studies of breach data consistently show that the majority of account compromises involve credentials that were stolen, reused, or guessed, and that MFA blocks the overwhelming majority of those attacks even when the password itself is compromised.
Insurance underwriters know this. Cyber insurance applications now consistently ask whether MFA is enforced on email, financial systems, and remote access. Underwriters increasingly decline coverage or substantially raise premiums for businesses without MFA on these systems. Customer security questionnaires ask the same questions. Auditors ask. Regulators ask.
This is also the control that creates the most operational friction with employees. People resist MFA because it adds steps to their day. Doing the rollout well matters disproportionately, because a botched rollout creates resistance that's hard to recover from and a successful rollout becomes invisible within a few weeks.
This section gets more depth than other Phase 1 sections because the work warrants it.
Why MFA matters more than other controls
Three things make MFA uniquely high-leverage:
First, it addresses the most common attack pattern. Phishing campaigns, credential stuffing attacks (using passwords stolen from one breach to access accounts elsewhere), and brute-force attempts all rely on knowing or guessing the password. MFA breaks the chain by requiring a second factor that the attacker doesn't have.
Second, it scales with the business automatically. Adding employees doesn't increase the attack surface for credential-based attacks if MFA is universal. You don't have to retrain everyone, redo a configuration, or add new tools when you hire.
Third, it produces evidence. MFA enforcement is something you can demonstrate. Insurance applications, customer questionnaires, and audits all want documented proof that MFA is enforced; the configuration itself is the evidence.
The downside: it's the control employees feel most directly. Every login takes an extra step. Phones run out of battery and someone can't get into email. A new tablet doesn't have the authenticator app set up yet. The friction is real, and it has to be managed deliberately rather than apologized for.
Sample ends here · §3.4 continues in the full guide