Last month a Perth retail business lost access to their entire Microsoft 365 tenant because an employee reused a password from a breached fitness app. No MFA. One stolen credential, and every inbox, every shared file, every customer record was exposed overnight.

They’d had “set up MFA” on the to-do list for eight months. If that sounds familiar, this is your playbook for rolling it out without derailing your week.

Start With Your Priority List

Not all accounts are equal. If you try to protect everything at once, you’ll stall. Here’s the priority order:

Tier 1 — Do this week:

• Email (Microsoft 365 or Google Workspace)
• Accounting and banking software (Xero, MYOB, your bank portal)
• Any admin or IT management accounts

Tier 2 — Do within 30 days:

• Cloud storage (OneDrive, Dropbox, Google Drive)
• CRM systems and remote access tools (VPNs, RDP)

Tier 3 — Do within 90 days:

• Social media accounts
• Domain registrar and DNS management

Email and finance first. Always. Those are where the money walks out the door.

Hardware Keys vs Authenticator Apps: What Actually Makes Sense

You’ll read that hardware security keys like YubiKeys are “the gold standard.” They are. They’re also $70-100 per key, they need spares, and your staff will lose them.

Here’s what I recommend:

For admin accounts and anyone with financial authority: Hardware keys (YubiKey 5 series). Buy two per person — one primary, one backup kept in a drawer. Worth the investment for high-value accounts.

For everyone else: Authenticator apps. Microsoft Authenticator or Google Authenticator are both solid and free. I prefer Microsoft Authenticator because its number-matching prompts defeat MFA fatigue attacks (where an attacker spams login attempts hoping someone taps “Approve” out of frustration).

What to avoid: SMS-based codes. SIM-swapping attacks are well-documented in Australia, and some cyber insurers now penalise businesses relying on SMS for MFA. If SMS is your only option for a particular service, it’s still better than nothing — but treat it as temporary.

The Australian Cyber Security Centre recommends phishing-resistant MFA methods, which means hardware keys or app-based authentication over SMS.

Handling Employee Pushback (Because It Will Happen)

Your staff will complain. MFA adds friction. Some people will be genuinely annoyed, others quietly anxious about new technology. How you handle this determines whether MFA actually sticks.

Before rollout:

• Give at least one week’s notice with a clear email explaining what’s changing and why.
• Be honest: “Our cyber insurer requires this, and it’s the single best thing we can do to prevent a breach.”
• Offer a group setup session. Don’t just email instructions and hope for the best.

During rollout:

• Do it in person or on a video call. Walk through the setup together.
• Have someone available for the first few days to help with lockouts.
• Show people how to use “Remember this device” on their work computers so they’re not prompted every login.

The biggest mistake I see: Business owners who apologise for implementing MFA. Don’t treat it like an imposition. Frame it clearly — this is how modern businesses operate. You lock the office door at night; this is the digital equivalent.

For the holdouts: Share a real incident. The ACS (Australian Computer Society) regularly publishes case studies of SMB breaches. Nothing changes minds like a dollar figure attached to a real local business.

Common MFA Mistakes That Undermine Everything

I see these constantly, even from businesses that think they’ve “done MFA.”

Mistake 1: Only protecting email. Great start, but if your Xero account or CRM doesn’t have MFA, attackers have an easy path to sensitive data. Work through your priority list above.

Mistake 2: No recovery plan. Someone loses their phone on a Saturday morning. Do you know how to verify their identity and reset their MFA? Document this process before you need it.

Mistake 3: Forgetting shared accounts. That marketing@ email or social media login shared by three people? Shared credentials without MFA are a favourite target. Assign individual accounts or use a password manager with shared vaults.

Mistake 4: Ignoring departing staff. When someone leaves, disable their accounts the same day. Not the same week. The same day.

Mistake 5: Set and forget. MFA needs to be part of onboarding for new hires and offboarding for departures. Review your MFA coverage quarterly.

The Bigger Security Picture

MFA is one piece of a broader security posture, but it gives you the most protection for the least cost. It maps directly to the Essential Eight framework, working alongside application control and admin privilege restrictions for layered defence.

If you’re also looking at AI-powered security monitoring, firms like AI consultants Sydney can help you evaluate which tools actually make sense for your size. Not every business needs a full SIEM platform, but understanding your options is worth the conversation.

Just Get It Done

You don’t need to do everything at once. Start with Tier 1 — email and finance. Spend an hour this week getting authenticator apps set up on those critical accounts. That single step will stop the vast majority of credential-based attacks dead.

Perfect security doesn’t exist. But an hour of mild inconvenience now beats explaining to clients why their data ended up on a dark web marketplace.

Open your admin panel. Enable security defaults. Start today.