Credential theft remains the number one initial access vector in Australian cyber incidents reported to the ACSC. Yet a significant proportion of small and medium businesses still rely solely on passwords to protect email, cloud storage and remote access. In 2026, this is an unacceptable risk.
What the Data Shows
The ACSC's annual cyber threat report consistently identifies phishing and password spraying as the most common attack methods targeting SMBs. Once an attacker has a valid email and password, they can access Microsoft 365 tenancies, SharePoint, OneDrive and any connected SaaS applications often without triggering any alerts.
Multi-factor authentication (MFA) breaks this attack chain. Even with a valid password, an attacker cannot authenticate without the second factor typically a push notification to a mobile app or a hardware token.
Getting Started with MFA
For businesses already on Microsoft 365, enabling MFA requires no additional licensing and can be done in under an hour. Microsoft Authenticator is free, works on iOS and Android, and supports number matching to prevent MFA fatigue attacks.
We recommend enforcing MFA on all user accounts using Conditional Access policies, prioritising:
- Global Administrator accounts (immediately)
- All users accessing email remotely
- Accounts with access to financial or customer data
Beyond MFA: A Layered Approach
MFA is a critical first step, but it's not a complete security strategy. Electriclatte recommends pairing MFA with regular security awareness training, endpoint protection, and a documented incident response plan. Our cybersecurity team can conduct a gap assessment against the Essential Eight framework and help you prioritise the controls that matter most for your business..