SECURITY
MFA, conditional access, and the unglamorous work of identity.
The single biggest reduction in real-world breach risk for a small business isn't a SIEM or an EDR. It's identity, configured properly, with no exceptions.
Almost every breach we get called in on starts the same way: a credential leaked or got phished, MFA was missing or bypassable, and the attacker logged in like a normal user. The expensive tools downstream — endpoint detection, log aggregation, threat hunting — are mostly there because identity wasn't tight.
Identity is the cheapest control with the highest payoff. It's also the one teams underinvest in because it doesn't have a dashboard worth screenshotting.
MFA is necessary but no longer sufficient
SMS and TOTP MFA are bypassable with off-the-shelf phishing kits. Push-prompt MFA is bypassable with prompt fatigue. The bar in 2026 is phishing-resistant MFA: passkeys, FIDO2 security keys, or platform authenticators with biometric.
Move executives, finance, and IT admins first. They're the highest-value targets and the easiest population to support through the rollout. Then expand outward.
Conditional access is where the real work is
Conditional access policies decide which sign-ins are allowed, from where, on what device, with what factor. A reasonable baseline:
1. Block legacy authentication everywhere. It cannot enforce MFA.
2. Require MFA for all users, not just admins.
3. Require a managed or compliant device for access to email and finance systems.
4. Block sign-ins from countries you don't operate in.
5. Require admin role activation through a privileged access workflow, not standing privilege.
Each of these is a one-line policy. Together they eliminate the majority of credential-stuffing and session-hijacking attacks against a small business.
The exceptions list is the attack surface
Every conditional access exception — the contractor who can't use a security key, the legacy app that needs a service account, the CFO who's traveling — is a hole. They accumulate quietly until they're the entire reason a policy doesn't actually protect you.
Audit the exceptions list quarterly. Every entry needs an owner, an expiration, and a compensating control. If it doesn't, delete it and let whatever breaks force a real fix.